CVE-2018-16872
First published: Thu Dec 13 2018(Updated: )
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/qemu | 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u7 1:9.1.2+ds-1 1:9.2.0+ds-2 | |
| QEMU | <=3.1.0 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Fedora | =29 | |
| Fedora | =30 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =18.10 | |
| SUSE Linux | =42.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.html
- http://www.securityfocus.com/bid/106212
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16872
- https://lists.debian.org/debian-lts-announce/2019/02/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGCFIFSIWUREEQQOZDZFBYKWZHXCWBZN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJMTVGDLA654HNCDGLCUEIP36SNJEKK7/
- https://seclists.org/bugtraq/2019/May/76
- https://usn.ubuntu.com/3923-1/
- https://www.debian.org/security/2019/dsa-4454
- https://launchpad.net/bugs/cve/CVE-2018-16872
- https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
- https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35ce73d1c8e19a37e2737717ea1c984dc1
- https://security-tracker.debian.org/tracker/CVE-2018-16872
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872
- https://nvd.nist.gov/vuln/detail/CVE-2018-16872
- https://ubuntu.com/security/CVE-2018-16872
Frequently Asked Questions
What is the severity of CVE-2018-16872?
CVE-2018-16872 is classified as a medium severity vulnerability.
How do I fix CVE-2018-16872?
To fix CVE-2018-16872, upgrade to the patched version of QEMU as specified in your distribution's security advisories.
Which software is affected by CVE-2018-16872?
CVE-2018-16872 affects multiple versions of QEMU running on various Linux distributions including Debian and Fedora.
What type of vulnerability is CVE-2018-16872?
CVE-2018-16872 is a flaw related to file handling in the Media Transfer Protocol implementation of QEMU.
Can CVE-2018-16872 lead to data loss?
Yes, CVE-2018-16872 may potentially lead to data loss due to improper file handling.
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/first-publish-date
- agent/description
- agent/event
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/debian
- vendor/qemu
- canonical/qemu
- version/qemu/3.1.0
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/29
- version/fedora/30
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/18.10
- vendor/opensuse
- canonical/suse linux
- version/suse linux/42.3