[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: qemu: CVE-2016-7116

Hi Thorsten,

> > "A privileged user inside guest could use this flaw to access undue
> > files on the host."
> ... you should also cite:
> "... host directory sharing via Plan 9 File System(9pfs) support ..."
> The latest news on [1] is from 2008. I am not sure whether there are really
> that much installations in the wild that really use it.

There are several "versions" of Plan 9 currently. The Bell one, which is rather
inactive, and forked one, 9front, which seems to be under active development[0].

> I still think it is not needed.

I wasn't sure whether we should do an LTS upload for qemu or not. That's why I
asked here before claiming qemu in dla-needed. I'll follow the team's decision.

(By the way, *if we do an LTS upload*, shouldn't we include this patch[1][2],
too ?)


[0] http://ninetimes.cat-v.org/
[1] http://git.qemu.org/?p=qemu.git;a=commit;h=805b5d98c649d26fc44d2d7755a97f18e62b438a
[2] https://marc.info/?l=oss-security&m=147259351226835&w=2

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply to: