CVE-2021-4207

Thanks for the report - we'll look into pulling it in asap!

the issue seems not too bad - IIUC - the guest can ... crash itself... by a privileged user inside it (and those can simply power it down anyways)

BelCloud said:
Does anyone know if this affects the default vga or virtio-gpu ?

Do I understand it correctly that it only affects if the graphic card is set to SPICE?
Click to expand...
IIUC it only affects VMs where the display is set to qxl/spice
 
FWIW, as some other smaller fixes where due to be released anyway we also included fixes for both CVE-2021-4207, and CVE-2021-4206 in the new pve-qemu-kvm version 6.2.0-6 available on the pvetest repository at time of writing.
 
  • Like
Reactions: Stoiko Ivanov and Moayad
Stoiko Ivanov said:
Thanks for the report - we'll look into pulling it in asap!

the issue seems not too bad - IIUC - the guest can ... crash itself... by a privileged user inside it (and those can simply power it down anyways)


IIUC it only affects VMs where the display is set to qxl/spice
Click to expand...
Thank you very much!

Doesn't "potentially execute arbitrary code within the context of the QEMU process" mean they could execute code on the host, as the qemu process runs as root?
 
BelCloud said:
Thank you very much!

Doesn't "potentially execute arbitrary code within the context of the QEMU process" mean they could execute code on the host, as the qemu process runs as root?
Click to expand...
I think they add such things for any heap overflow as over multiple edges it may become possible for most such things, but, that doesn't mean that it's trivial, or even known about how to actually do it for this specific case; at least I checked and didn't find anything slightly more specific in that direction.

Anyhow, it's definitively better to have those known hole plugged and be on the safe side.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back