resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 fixes: CVE-2023-0664 (2 parts)
CVE Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs), can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53. Reported-by: Brian Wiltse <brian.wil...@live.com> v2: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05979.html v2 -> v3: Minor fix in commit messages v1: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html v1 -> v2: Add explanation into commit messages Konstantin Kostiuk (2): qga/win32: Remove change action from MSI installer qga/win32: Use rundll for VSS installation qga/installer/qemu-ga.wxs | 11 ++++++----- qga/vss-win32/install.cpp | 9 +++++++++ qga/vss-win32/qga-vss.def | 2 ++ 3 files changed, 17 insertions(+), 5 deletions(-) -- 2.25.1
