Date: Tue, 21 Nov 2017 19:52:43 -0800 From: Ian Zimmerman <itz@...y.loosely.org> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-16845 Qemu: ps2: information leakage via post_load routine On 2017-11-17 11:14, P J P wrote: > Upstream patch: > --------------- > -> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html Hi, what can I do with these QEMU reports? I can try to apply the patch, but I have no idea if it will work, because I don't know which branch or revision it is based on. By my unscientific counting, there are only 2 other userspace projects which earn CVEs as frequently as QEMU: openjpeg and graphicsmagick. In both these cases, starting with the message posted here and following the references, I can quickly locate the actual VC commit (in git and mercurial, respectively) and thus have a sound basis for deciding what to do: patch, wait for an updated distro package, or fork the distro package. Is there a reason why that cannot be done with QEMU? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet, fetch the TXT record for the domain.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ