On Fri, 2021-01-22 at 10:14 +0000, Richard Purdie via lists.openembedded.org wrote: > On Fri, 2021-01-22 at 15:15 +0800, Wang Mingyu wrote: > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18438.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2018-18438.patch > > new file mode 100644 > > index 0000000000..b6ce8fa57d > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18438.patch > > @@ -0,0 +1,697 @@ > > +From: Philippe Mathieu-Daudé > > +Subject: [Qemu-devel] [PATCH v2 07/11] chardev: Let IOReadHandler use > > unsigned type > > +Date: Fri, 12 Oct 2018 02:22:13 +0200 > > + > > +The number of bytes can not be negative nor zero. > > + > > +Fixed 2 format string: > > +- hw/char/spapr_vty.c > > +- hw/usb/ccid-card-passthru.c > > No Upstream-Status. > > Its also unclear what the status of these patches is upstream, they're > submitted, there was discussion but they weren't merged. I'm also > wondering whether there are more of the 11 patches in the series needed > to address the issue? Or perhaps the issue was ultimately addressed by > other patches?
I went digging and was pointed to https://bugzilla.redhat.com/show_bug.cgi?id=1609015 i.e. qemu upstream and Redhat believe this is not an issue Steve: What do we do here? Whitelist? Do we report upstream somehow? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147123): https://lists.openembedded.org/g/openembedded-core/message/147123 Mute This Topic: https://lists.openembedded.org/mt/80025435/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-