On Wed, Feb 27, 2019 at 08:24:18AM +0100, Hugo Lefeuvre wrote: > Hi, > > It looks very much like the vulnerability was introduced in > a71c775b24ebc664129eb1d9b4c360590353efd5[0] which is not present prior > 2.12.50. > > I'd appreciate if a second pair of eyes could double check before I > update the tracker for Jessie and Stretch. > > (scsi_handle_inquiry_reply was introduced in > 0a96ca2437646bad197b0108c5f4a93e7ead05a9[1]. > > thanks! > > cheers, > Hugo > > [0] > https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24ebc664129eb1d9b4c360590353efd5 > [1] > https://git.qemu.org/?p=qemu.git;a=commit;h=0a96ca2437646bad197b0108c5f4a93e7ead05a9 >
Hi Hugo, I note that there has not been a response to your request for review. I have looked at the two commits you linked, plus another referenced from one of those, plus the fix that was posted to the qemu-devel mailing list and compared with the code in stretch and jessie. I concur with your assessment that the code in jessie and stretch is not vulnerable to this particular vulnerability. Regards, -Roberto -- Roberto C. Sánchez
