[Slirp] [PATCH v3] slirp: tftp: restrict relative path access
Peter Maydell
peter.maydell at linaro.org
Mon Jan 20 10:36:37 UTC 2020
On Mon, 20 Jan 2020 at 07:40, P J P <ppandit at redhat.com> wrote:
>
> +-- On Fri, 17 Jan 2020, Peter Maydell wrote --+
> | That's because it's been marked "private" as a security bug (so you need lp
> | admin privileges to see it). Unfortunately LP has no mechanism for a project
> | to say "we don't take security bug reports through LP, disable private bug
> | reports", so there are a handful of them lurking in the system unseen
> | (because nobody checks there), of which this tftp bug was one. I just copied
> | the text out of the bug report and forwarded it to the security email list,
> | but have otherwise no relationship with it.
>
> Was it reported by Reno Robert, he also found similar VirtualBox issue?
> -> https://www.voidsecurity.in/2019/01/virtualbox-tftp-server-pxe-boot.html
Not directly; the reporter account is "jusunLee"
(https://launchpad.net/~asiagaming). On the other hand, that
LP user account was created on the 18th January just to
report that one bug on the 18th, which is the same date as
that voidsecurity blogpost, so it may have been somebody
who looked for the bug in QEMU's slirp based on the blogpost.
thanks
-- PMM
More information about the Slirp
mailing list