[Slirp] [PATCH v3] slirp: tftp: restrict relative path access
Philippe Mathieu-Daudé
philmd at redhat.com
Mon Jan 20 11:01:08 UTC 2020
On 1/20/20 11:36 AM, Peter Maydell wrote:
> On Mon, 20 Jan 2020 at 07:40, P J P <ppandit at redhat.com> wrote:
>>
>> +-- On Fri, 17 Jan 2020, Peter Maydell wrote --+
>> | That's because it's been marked "private" as a security bug (so you need lp
>> | admin privileges to see it). Unfortunately LP has no mechanism for a project
>> | to say "we don't take security bug reports through LP, disable private bug
>> | reports", so there are a handful of them lurking in the system unseen
>> | (because nobody checks there), of which this tftp bug was one. I just copied
>> | the text out of the bug report and forwarded it to the security email list,
>> | but have otherwise no relationship with it.
>>
>> Was it reported by Reno Robert, he also found similar VirtualBox issue?
>> -> https://www.voidsecurity.in/2019/01/virtualbox-tftp-server-pxe-boot.html
>
> Not directly; the reporter account is "jusunLee"
> (https://launchpad.net/~asiagaming). On the other hand, that
> LP user account was created on the 18th January just to
> report that one bug on the 18th, which is the same date as
> that voidsecurity blogpost, so it may have been somebody
> who looked for the bug in QEMU's slirp based on the blogpost.
Prasad, Jusun Lee contact is listed on his github:
https://github.com/vngkv123
More information about the Slirp
mailing list