#1055174 qemu: CVE-2023-1386: 9pfs: not dropping SUID/SGID bits from local binaries can potentially lead to guest and/or host privilege escalation

Package:
src:qemu
Source:
src:qemu
Submitter:
Moritz Mühlenhoff
Date:
2025-10-21 10:01:03 UTC
Severity:
normal
Tags:
#1055174#5
Date:
2023-11-01 19:13:04 UTC
From:
To:
Hi,

The following vulnerability was published for qemu.

CVE-2023-1386[0]:
| A flaw was found in the 9p passthrough filesystem (9pfs)
| implementation in QEMU. When a local user in the guest writes an
| executable file with SUID or SGID, none of these privileged bits are
| correctly dropped. As a result, in rare circumstances, this flaw
| could be used by malicious users in the guest to elevate their
| privileges within the guest and help a host local user to elevate
| privileges on the host.

https://github.com/v9fs/linux/issues/29

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1386
https://www.cve.org/CVERecord?id=CVE-2023-1386

Please adjust the affected versions in the BTS as needed.