[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] virtio: abort on zero config length

From: Laszlo Ersek
Subject: Re: [Qemu-devel] [PATCH] virtio: abort on zero config length
Date: Fri, 26 Apr 2013 13:33:50 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5

On 04/26/13 12:32, Eric Blake wrote:
> On 04/25/2013 11:06 PM, Jason Wang wrote:
>>>>     if (addr > (vdev->config_len - sizeof(val)))
>>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0    :)
>>> Then we need to fix these bugs and allocate a CVE.  virtio-rng has
>>> shipped.  This code is also dumb.
>> Ok, but since the discussion is in public list, no need for CVE then.
> Wrong.  CVEs are useful even for publicly disclosed bugs.  It tells
> people whether they need to upgrade in order to avoid a vulnerability.

Small addition (since my English parser turns "whether" into "whether or
not"): a CVE tells people *that* (not "if") they should upgrade. Lack of
a CVE mention in a commit doesn't imply -- at least in, ugh, another big
project -- that the fix is without security consequences ("no CVE fix, I
don't need it").

(Apologies for hair-splitting.)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]