[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 0/2] QGA installer fixes
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [PATCH v2 0/2] QGA installer fixes |
|
Date: |
Tue, 21 Feb 2023 12:41:00 +0100 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 |
On 21/2/23 12:21, Konstantin Kostiuk wrote:
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664
CVE Technical details: The cached installer for QEMU Guest Agent in
c:\windows\installer
(https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs),
can be leveraged to begin a repair of the installation without validation
that the repair is being performed by an administrative user. The MSI repair
custom action "RegisterCom" and "UnregisterCom" is not set for impersonation
which allows for the actions to occur as the SYSTEM account
(LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe
to run qemu-ga.exe in line 134 and 142 which causes an interactive command
shell to spawn even though the MSI is set to be non-interactive on line 53.
v1: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html
Per
CAA8xKjUQFBVgDVJ059FvGoSjkv+kZ5jB1gfMNz+ao-twH7FDRg@mail.gmail.com/:">https://lore.kernel.org/qemu-devel/CAA8xKjUQFBVgDVJ059FvGoSjkv+kZ5jB1gfMNz+ao-twH7FDRg@mail.gmail.com/:
Reported-by: Brian Wiltse <brian.wiltse@live.com>
v1 -> v2:
Add explanation into commit messages
Thanks, much appreciated!
Konstantin Kostiuk (2):
qga/win32: Remove change action from MSI installer
qga/win32: Use rundll for VSS installation
qga/installer/qemu-ga.wxs | 11 ++++++-----
qga/vss-win32/install.cpp | 9 +++++++++
qga/vss-win32/qga-vss.def | 2 ++
3 files changed, 17 insertions(+), 5 deletions(-)
--
2.25.1