[Pkg-libvirt-commits] [libguestfs] 02/59: Add warnings about using guestfs_strings* APIs because of CVE-2014-8484 and CVE-2014-8485.
Hilko Bengen
bengen at moszumanska.debian.org
Wed Nov 26 22:04:02 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch master
in repository libguestfs.
commit ec58a97986e9e93bb45b314020ec33ddfced483f
Author: Richard W.M. Jones <rjones at redhat.com>
Date: Mon Oct 27 17:44:54 2014 +0000
Add warnings about using guestfs_strings* APIs because of CVE-2014-8484 and CVE-2014-8485.
(cherry picked from commit 777e2175abe5d8ab6687d11d817827080ae6f7ff)
---
generator/actions.ml | 12 ++++++++++--
src/guestfs.pod | 12 ++++++++++++
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/generator/actions.ml b/generator/actions.ml
index ed36951..ece3f88 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -5364,7 +5364,11 @@ The external L<cmp(1)> program is used for the comparison." };
shortdesc = "print the printable strings in a file";
longdesc = "\
This runs the L<strings(1)> command on a file and returns
-the list of printable strings found." };
+the list of printable strings found.
+
+B<Use this API with caution.> In particular, it's generally not
+a good idea to use it on untrusted files. For more information
+see L<guestfs(3)/CVE-2014-8484>." };
{ defaults with
name = "strings_e";
@@ -5419,7 +5423,11 @@ This is useful for examining binaries in Windows guests.
=back
-The returned strings are transcoded to UTF-8." };
+The returned strings are transcoded to UTF-8.
+
+B<Use this API with caution.> In particular, it's generally not
+a good idea to use it on untrusted files. For more information
+see L<guestfs(3)/CVE-2014-8484>." };
{ defaults with
name = "hexdump";
diff --git a/src/guestfs.pod b/src/guestfs.pod
index c9ac1fa..8d86014 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -2172,6 +2172,18 @@ sockets owned by another user's guestfish client or server.
It is sufficient to update libguestfs to a version that is not
vulnerable: libguestfs E<ge> 1.20.12, E<ge> 1.22.7 or E<ge> 1.24.
+=head2 CVE-2014-8484
+
+=head2 CVE-2014-8485
+
+These two bugs in binutils affect the GNU L<strings(1)> program, and
+thus the L</guestfs_strings> and L</guestfs_strings_e> APIs in
+libguestfs. Running strings on an untrusted file could cause
+arbitrary code execution (confined to the libguestfs appliance).
+
+There are thought to be many similar bugs in binutils, so even if
+these two bugs are fixed, avoid using these two libguestfs APIs.
+
=head1 CONNECTION MANAGEMENT
=head2 guestfs_h *
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git
More information about the Pkg-libvirt-commits
mailing list