[v3,0/2] QGA installer fixes

Message ID	20230303192008.109549-1-kkostiuk@redhat.com (mailing list archive)
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Konstantin Kostiuk <kkostiuk@redhat.com> To: qemu-devel@nongnu.org Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Bin Meng <bin.meng@windriver.com>, Stefan Weil <sw@weilnetz.de>, Yonggang Luo <luoyonggang@gmail.com>, Markus Armbruster <armbru@redhat.com>, =?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>, Peter Maydell <peter.maydell@linaro.org>, Gerd Hoffmann <kraxel@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Thomas Huth <thuth@redhat.com>, =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>, Michael Roth <michael.roth@amd.com>, Mauro Matteo Cascella <mcascell@redhat.com>, Yan Vugenfirer <yvugenfi@redhat.com>, Evgeny Iakovlev <eiakovlev@linux.microsoft.com>, Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>, Xuzhou Cheng <xuzhou.cheng@windriver.com>, brian.wiltse@live.com Subject: [PATCH v3 0/2] QGA installer fixes Date: Fri, 3 Mar 2023 21:20:06 +0200 Message-Id: <20230303192008.109549-1-kkostiuk@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.129.124; envelope-from=kkostiuk@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	QGA installer fixes \| expand [v3,0/2] QGA installer fixes [v3,1/2] qga/win32: Remove change action from MSI installer [v3,2/2] qga/win32: Use rundll for VSS installation

Message ID

20230303192008.109549-1-kkostiuk@redhat.com (mailing list archive)

Headers

From: Konstantin Kostiuk <kkostiuk@redhat.com>
To: qemu-devel@nongnu.org
Cc: =?utf-8?q?Daniel_P_=2E_Berrang=C3=A9?= <berrange@redhat.com>,
	=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Bin Meng <bin.meng@windriver.com>, Stefan Weil <sw@weilnetz.de>,
 Yonggang Luo <luoyonggang@gmail.com>, Markus Armbruster <armbru@redhat.com>,
	=?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S. Tsirkin" <mst@redhat.com>, Thomas Huth <thuth@redhat.com>,
	=?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 Michael Roth <michael.roth@amd.com>,
 Mauro Matteo Cascella <mcascell@redhat.com>,
 Yan Vugenfirer <yvugenfi@redhat.com>,
 Evgeny Iakovlev <eiakovlev@linux.microsoft.com>,
 Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>,
 Xuzhou Cheng <xuzhou.cheng@windriver.com>, brian.wiltse@live.com
Subject: [PATCH v3 0/2] QGA installer fixes
Date: Fri,  3 Mar 2023 21:20:06 +0200
Message-Id: <20230303192008.109549-1-kkostiuk@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=170.10.129.124;
 envelope-from=kkostiuk@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

QGA installer fixes | expand

Message

Konstantin Kostiuk March 3, 2023, 7:20 p.m. UTC

resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (2 parts)

CVE Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer
(https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs),
can be leveraged to begin a repair of the installation without validation
that the repair is being performed by an administrative user. The MSI repair
custom action "RegisterCom" and "UnregisterCom" is not set for impersonation
which allows for the actions to occur as the SYSTEM account
(LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe
to run qemu-ga.exe in line 134 and 142 which causes an interactive command
shell to spawn even though the MSI is set to be non-interactive on line 53.

Reported-by: Brian Wiltse <brian.wiltse@live.com>

v2: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05979.html
v2 -> v3:
  Minor fix in commit messages

v1: https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html
v1 -> v2:
  Add explanation into commit messages

Konstantin Kostiuk (2):
  qga/win32: Remove change action from MSI installer
  qga/win32: Use rundll for VSS installation

 qga/installer/qemu-ga.wxs | 11 ++++++-----
 qga/vss-win32/install.cpp |  9 +++++++++
 qga/vss-win32/qga-vss.def |  2 ++
 3 files changed, 17 insertions(+), 5 deletions(-)

--
2.25.1