Re: qemu CVE-2019-6501: not-affected in Jessie and Stretch?

To: Hugo Lefeuvre <hle@debian.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: qemu CVE-2019-6501: not-affected in Jessie and Stretch?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 2 Mar 2019 09:39:21 -0500
Message-id: <[🔎] 20190302143921.cakhco5cbmobh65f@santiago.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Hugo Lefeuvre <hle@debian.org>, team@security.debian.org, debian-lts@lists.debian.org
In-reply-to: <20190227072418.GA1625@behemoth.owl.eu.com.local>
References: <20190227072418.GA1625@behemoth.owl.eu.com.local>

On Wed, Feb 27, 2019 at 08:24:18AM +0100, Hugo Lefeuvre wrote:
> Hi,
> 
> It looks very much like the vulnerability was introduced in
> a71c775b24ebc664129eb1d9b4c360590353efd5[0] which is not present prior
> 2.12.50.
> 
> I'd appreciate if a second pair of eyes could double check before I
> update the tracker for Jessie and Stretch.
> 
> (scsi_handle_inquiry_reply was introduced in
> 0a96ca2437646bad197b0108c5f4a93e7ead05a9[1].
> 
> thanks!
> 
> cheers,
>  Hugo
> 
> [0] https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24ebc664129eb1d9b4c360590353efd5
> [1] https://git.qemu.org/?p=qemu.git;a=commit;h=0a96ca2437646bad197b0108c5f4a93e7ead05a9
> 

Hi Hugo,

I note that there has not been a response to your request for review.  I
have looked at the two commits you linked, plus another referenced from
one of those, plus the fix that was posted to the qemu-devel mailing
list and compared with the code in stretch and jessie.

I concur with your assessment that the code in jessie and stretch is not
vulnerable to this particular vulnerability.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: February Report
Next by Date: Re: February Report
Previous by thread: Re: February Report
Next by thread: Request for testing - symfony
Index(es):
- Date
- Thread