Hello Gerd, +-- On Thu, 13 Dec 2018, Markus Armbruster wrote --+ | Gerd Hoffmann <kra...@redhat.com> writes: | > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | > While being at it also add O_CLOEXEC. | > | > usb-mtp only handles regular files and directories and ignores | > everything else, so users should not see a difference. | > | > Because qemu ignores symlinks carrying out an successfull symlink attack
symlinks, carrying out a successful ... | > requires swapping an existing file or directory below rootdir for a | > symlink and winning the race against the inotify notification to qemu. | > | > Note that the impact of this bug is rather low when qemu is managed by | > libvirt due to qemu running sandboxed, so there isn't much you can gain | > access to that way. | > | > Fixes: CVE-2018-pjp-please-get-one | | Ah, looks like we've run out of numbers. Heh..:) It's CVE-2018-16872. Thank you so much for the fix patch. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
