[Pkg-libvirt-commits] [libguestfs] 02/59: Add warnings about using guestfs_strings* APIs because of CVE-2014-8484 and CVE-2014-8485.

Hilko Bengen bengen at moszumanska.debian.org
Wed Nov 26 22:04:02 UTC 2014 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch master
in repository libguestfs.

commit ec58a97986e9e93bb45b314020ec33ddfced483f
Author: Richard W.M. Jones <rjones at redhat.com>
Date:   Mon Oct 27 17:44:54 2014 +0000

    Add warnings about using guestfs_strings* APIs because of CVE-2014-8484 and CVE-2014-8485.
    
    (cherry picked from commit 777e2175abe5d8ab6687d11d817827080ae6f7ff)
---
 generator/actions.ml | 12 ++++++++++--
 src/guestfs.pod      | 12 ++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/generator/actions.ml b/generator/actions.ml
index ed36951..ece3f88 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -5364,7 +5364,11 @@ The external L<cmp(1)> program is used for the comparison." };
     shortdesc = "print the printable strings in a file";
     longdesc = "\
 This runs the L<strings(1)> command on a file and returns
-the list of printable strings found." };
+the list of printable strings found.
+
+B<Use this API with caution.>  In particular, it's generally not
+a good idea to use it on untrusted files.  For more information
+see L<guestfs(3)/CVE-2014-8484>." };
 
   { defaults with
     name = "strings_e";
@@ -5419,7 +5423,11 @@ This is useful for examining binaries in Windows guests.
 
 =back
 
-The returned strings are transcoded to UTF-8." };
+The returned strings are transcoded to UTF-8.
+
+B<Use this API with caution.>  In particular, it's generally not
+a good idea to use it on untrusted files.  For more information
+see L<guestfs(3)/CVE-2014-8484>." };
 
   { defaults with
     name = "hexdump";
diff --git a/src/guestfs.pod b/src/guestfs.pod
index c9ac1fa..8d86014 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -2172,6 +2172,18 @@ sockets owned by another user's guestfish client or server.
 It is sufficient to update libguestfs to a version that is not
 vulnerable: libguestfs E<ge> 1.20.12, E<ge> 1.22.7 or E<ge> 1.24.
 
+=head2 CVE-2014-8484
+
+=head2 CVE-2014-8485
+
+These two bugs in binutils affect the GNU L<strings(1)> program, and
+thus the L</guestfs_strings> and L</guestfs_strings_e> APIs in
+libguestfs.  Running strings on an untrusted file could cause
+arbitrary code execution (confined to the libguestfs appliance).
+
+There are thought to be many similar bugs in binutils, so even if
+these two bugs are fixed, avoid using these two libguestfs APIs.
+
 =head1 CONNECTION MANAGEMENT
 
 =head2 guestfs_h *

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git

More information about the Pkg-libvirt-commits mailing list