On 04/26/13 12:32, Eric Blake wrote:
> On 04/25/2013 11:06 PM, Jason Wang wrote:
>>>> if (addr > (vdev->config_len - sizeof(val)))
>>>>
>>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0 :)
>>> Then we need to fix these bugs and allocate a CVE. virtio-rng has
>>> shipped. This code is also dumb.
>>
>> Ok, but since the discussion is in public list, no need for CVE then.
>
> Wrong. CVEs are useful even for publicly disclosed bugs. It tells
> people whether they need to upgrade in order to avoid a vulnerability.
Small addition (since my English parser turns "whether" into "whether or
not"): a CVE tells people *that* (not "if") they should upgrade. Lack of
a CVE mention in a commit doesn't imply -- at least in, ugh, another big
project -- that the fix is without security consequences ("no CVE fix, I
don't need it").
(Apologies for hair-splitting.)
Laszlo
