Re: Wheezy update for qemu ?

To: Hugo Lefeuvre <hle@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: Wheezy update for qemu ?
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 23 Sep 2016 11:32:42 +0200
Message-id: <[🔎] 20160923093242.sm6iiibxvypjmhia@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20160923090820.fc3hi64xo2pe4m4w@hle.local>
References: <[🔎] 20160923090820.fc3hi64xo2pe4m4w@hle.local>

Hi Hugo,
On Fri, Sep 23, 2016 at 11:08:20AM +0200, Hugo Lefeuvre wrote:
> Hi,
> 
> I've had a look at the latest security issues for qemu, and it's quite
> unclear to me that qemu is affected by CVE-2016-7466 in wheezy. The affected
> source code seems to be absent, and the issue looks hard to reproduce.

The Wheezy version lacks usb_xhci_exit completely. Isn't that a much
bigger leak? Did you try to unplug/replug xhci and see if it leaks?

> Concerning CVE-2016-7170, an upstream approved patch has been released,
> and it may apply with some adaptations on the wheezy version. Should I
> prepare a qemu update only for this little patch?

I always feel more comfortable with these things fixed than unfixed.
Cheers,
 -- Guido

> 
> Otherwise, I'd like to mark it as non-dsa.
> 
> Regards,
>  Hugo
> 
> -- 
>              Hugo Lefeuvre (hle)    |    www.owl.eu.com
> 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Reply to:

Follow-Ups:
- Re: Wheezy update for qemu ?
  - From: Hugo Lefeuvre <hle@debian.org>

References:
- Wheezy update for qemu ?
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Wheezy update for qemu ?
Next by Date: Re: Wheezy update of firefox-esr?
Previous by thread: Wheezy update for qemu ?
Next by thread: Re: Wheezy update for qemu ?
Index(es):
- Date
- Thread