From dae2b79d153b043af8eb2abdd7ffacacb88811cd Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Sun, 26 Mar 2023 14:59:09 +0200
Subject: [PATCH] qga/win32: Fix local privilege escalation issue
 (CVE-2023-0664)

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
 ...qga-win32-local-privilege-escalation.patch | 129 ++++++++++++++++++
 qemu.spec                                     |   7 +-
 2 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 0024-qga-win32-local-privilege-escalation.patch

diff --git a/0024-qga-win32-local-privilege-escalation.patch b/0024-qga-win32-local-privilege-escalation.patch
new file mode 100644
index 0000000..c3188c5
--- /dev/null
+++ b/0024-qga-win32-local-privilege-escalation.patch
@@ -0,0 +1,129 @@
+From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:07 +0200
+Subject: [PATCH] qga/win32: Remove change action from MSI installer
+
+Remove the 'change' button from "Programs and Features" because it does
+not checks if a user is an admin or not. The installer has no components
+to choose from and always installs everything. So the 'change' button is
+not obviously needed but can create a security issue.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 1 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index 0950e8c6be..b62e709a4c 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -58,6 +58,7 @@
+       />
+     <Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
+     <Property Id="WHSLogo">1</Property>
++    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
+     <MajorUpgrade
+       DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
+       />
+
+From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:08 +0200
+Subject: [PATCH] qga/win32: Use rundll for VSS installation
+
+The custom action uses cmd.exe to run VSS Service installation
+and removal which causes an interactive command shell to spawn.
+This shell can be used to execute any commands as a SYSTEM user.
+Even if call qemu-ga.exe directly the interactive command shell
+will be spawned as qemu-ga.exe is a console application and used
+by users from the console as well as a service.
+
+As VSS Service runs from DLL which contains the installer and
+uninstaller code, it can be run directly by rundll32.exe without
+any interactive command shell.
+
+Add specific entry points for rundll which is just a wrapper
+for COMRegister/COMUnregister functions with proper arguments.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 2 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 10 +++++-----
+ qga/vss-win32/install.cpp |  9 +++++++++
+ qga/vss-win32/qga-vss.def |  2 ++
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index b62e709a4c..11b66a22e6 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -143,22 +143,22 @@
+       </Directory>
+     </Directory>
+
+-    <Property Id="cmd" Value="cmd.exe"/>
++    <Property Id="rundll" Value="rundll32.exe"/>
+     <Property Id="REINSTALLMODE" Value="amus"/>
+
+     <?ifdef var.InstallVss?>
+     <CustomAction Id="RegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+     </CustomAction>
+     <CustomAction Id="UnRegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
+index b57508fbe0..68662a6dfc 100644
+--- a/qga/vss-win32/install.cpp
++++ b/qga/vss-win32/install.cpp
+@@ -357,6 +357,15 @@ out:
+     return hr;
+ }
+
++STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMRegister();
++}
++
++STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMUnregister();
++}
+
+ static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
+ {
+diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
+index 927782c31b..ee97a81427 100644
+--- a/qga/vss-win32/qga-vss.def
++++ b/qga/vss-win32/qga-vss.def
+@@ -1,6 +1,8 @@
+ LIBRARY      "QGA-PROVIDER.DLL"
+
+ EXPORTS
++	DLLCOMRegister
++	DLLCOMUnregister
+ 	COMRegister		PRIVATE
+ 	COMUnregister		PRIVATE
+ 	DllCanUnloadNow		PRIVATE
diff --git a/qemu.spec b/qemu.spec
index 0b672d3..964c5c5 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
 %endif
 
 # To prevent rpmdev-bumpspec breakage
-%global baserelease 14
+%global baserelease 15
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
@@ -377,6 +377,8 @@ Patch: 0021-linux-user-use-max-instead-of-qemu32-qemu64-by-default.patch
 #block: Fix memory alignment of requests (rhbz#2174139)
 Patch: 0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
 Patch: 0023-block-use-the-request-length-for-iov-alignment.patch
+# qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
+Patch: 0024-qga-win32-local-privilege-escalation.patch
 
 
 BuildRequires: meson >= %{meson_version}
@@ -2742,6 +2744,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Sun Mar 26 2023 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-15
+- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700)
+
 * Tue Feb 28 2023 Eduardo Lima (Etrunko) <etrunko@redhat.com> -  2:7.0.0-14
 - block: Fix memory alignment of requests (rhbz#2174139)
 - Disable the tests on i686