Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Nov 2017 19:52:43 -0800
From: Ian Zimmerman <itz@...y.loosely.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-16845 Qemu: ps2: information leakage via post_load
 routine

On 2017-11-17 11:14, P J P wrote:

> Upstream patch:
> ---------------
>   -> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html

Hi, what can I do with these QEMU reports?  I can try to apply the
patch, but I have no idea if it will work, because I don't know which
branch or revision it is based on.

By my unscientific counting, there are only 2 other userspace projects
which earn CVEs as frequently as QEMU: openjpeg and graphicsmagick.  In
both these cases, starting with the message posted here and following
the references, I can quickly locate the actual VC commit (in git and
mercurial, respectively) and thus have a sound basis for deciding what
to do: patch, wait for an updated distro package, or fork the distro
package.

Is there a reason why that cannot be done with QEMU?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ