Hi Hugo, On Fri, Sep 23, 2016 at 11:08:20AM +0200, Hugo Lefeuvre wrote: > Hi, > > I've had a look at the latest security issues for qemu, and it's quite > unclear to me that qemu is affected by CVE-2016-7466 in wheezy. The affected > source code seems to be absent, and the issue looks hard to reproduce.
The Wheezy version lacks usb_xhci_exit completely. Isn't that a much bigger leak? Did you try to unplug/replug xhci and see if it leaks? > Concerning CVE-2016-7170, an upstream approved patch has been released, > and it may apply with some adaptations on the wheezy version. Should I > prepare a qemu update only for this little patch? I always feel more comfortable with these things fixed than unfixed. Cheers, -- Guido > > Otherwise, I'd like to mark it as non-dsa. > > Regards, > Hugo > > -- > Hugo Lefeuvre (hle) | www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
