[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: qemu CVE-2019-6501: not-affected in Jessie and Stretch?

On Wed, Feb 27, 2019 at 08:24:18AM +0100, Hugo Lefeuvre wrote:
> Hi,
> It looks very much like the vulnerability was introduced in
> a71c775b24ebc664129eb1d9b4c360590353efd5[0] which is not present prior
> 2.12.50.
> I'd appreciate if a second pair of eyes could double check before I
> update the tracker for Jessie and Stretch.
> (scsi_handle_inquiry_reply was introduced in
> 0a96ca2437646bad197b0108c5f4a93e7ead05a9[1].
> thanks!
> cheers,
>  Hugo
> [0] https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24ebc664129eb1d9b4c360590353efd5
> [1] https://git.qemu.org/?p=qemu.git;a=commit;h=0a96ca2437646bad197b0108c5f4a93e7ead05a9

Hi Hugo,

I note that there has not been a response to your request for review.  I
have looked at the two commits you linked, plus another referenced from
one of those, plus the fix that was posted to the qemu-devel mailing
list and compared with the code in stretch and jessie.

I concur with your assessment that the code in jessie and stretch is not
vulnerable to this particular vulnerability.



Roberto C. Sánchez

Reply to: