Re: qemu CVE-2019-6501: not-affected in Jessie and Stretch?
On Wed, Feb 27, 2019 at 08:24:18AM +0100, Hugo Lefeuvre wrote:
> It looks very much like the vulnerability was introduced in
> a71c775b24ebc664129eb1d9b4c360590353efd5 which is not present prior
> I'd appreciate if a second pair of eyes could double check before I
> update the tracker for Jessie and Stretch.
> (scsi_handle_inquiry_reply was introduced in
>  https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24ebc664129eb1d9b4c360590353efd5
>  https://git.qemu.org/?p=qemu.git;a=commit;h=0a96ca2437646bad197b0108c5f4a93e7ead05a9
I note that there has not been a response to your request for review. I
have looked at the two commits you linked, plus another referenced from
one of those, plus the fix that was posted to the qemu-devel mailing
list and compared with the code in stretch and jessie.
I concur with your assessment that the code in jessie and stretch is not
vulnerable to this particular vulnerability.
Roberto C. Sánchez