On Wed, Jun 5, 2013 at 1:12 PM, Michael Tokarev wrote: > 02.06.2013 22:53, Michael Gilbert wrote: >> Package: qemu >> Severity: serious >> version: 1.5.0+dfsg-1 >> Tags: security >> >> Hi, >> An out-of-bounds issue in virtio was published for qemu: >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 > > Hmm. Now I'm really confused. > > Upstream version 1.5.0 includes the fix for this issue, so > filing the bug against 1.5.0+dfsg-1 package is kind of wrong. > The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d > which was applied past 1.5.0~rc0.
Is that a complete fix? The suggested patch in the redhat bug [0] also adds checks to virtio-pci.c, which is what I had used for reference when checking whether this was fixed or not, and that is not applied in the debian package yet. Best wishes, Mike [0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
