[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] ide: fix ATAPI command permissions
From: |
John Snow |
Subject: |
Re: [Qemu-devel] [PATCH] ide: fix ATAPI command permissions |
Date: |
Mon, 14 Sep 2015 14:49:51 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 |
On 09/14/2015 02:43 PM, Michael Tokarev wrote:
> 14.09.2015 21:04, John Snow wrote:
>> On 09/11/2015 02:56 AM, Michael Tokarev wrote:
>>> 09.09.2015 19:28, John Snow wrote:
>>>> We're a little too lenient with what we'll let an ATAPI drive handle.
>>>> Clamp down on the IDE command execution table to remove CD_OK permissions
>>>> from commands that are not and have never been ATAPI commands.
>>>
>>> FWIW, this issue has been assigned CVE-2015-6855 identifier, which
>>> can be reflected in the commit message when applying. Since this
>>> issue has security impact, it might be a good idea to add
>>>
>>> Cc: address@hidden
>>
>> I'm still awaiting review/acks, but would you like me to re-send this
>> patch to trivial, or just fwd/reply-to?
>
> I think it is anything but trivial ;) Well, the semantics is trivial,
> but it isn't -trivial material per se.
>
> I suggested add a Cc to qemu-stable, this can be done at commit,
> together with mentioning the CVE# assigned meanwhile, and I don't
> know who will commit it, Kevin?
>
> Thanks,
>
> /mjt
>
I'll be sending the pullreq through my tree, but I was waiting on at
least an ACK or so before I went ahead.
I can add CC: qemu-stable to the patch on-pull if that's sufficient for you.
--js
Re: [Qemu-devel] [PATCH] ide: fix ATAPI command permissions, Markus Armbruster, 2015/09/15