"Michael S. Tsirkin" <m...@redhat.com> writes: > On Fri, Apr 26, 2013 at 06:33:33PM +0800, Jason Wang wrote: >> On 04/26/2013 06:32 PM, Eric Blake wrote: >> > On 04/25/2013 11:06 PM, Jason Wang wrote: >> >>>> if (addr > (vdev->config_len - sizeof(val))) >> >>>> >> >>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0 :) >> >>> Then we need to fix these bugs and allocate a CVE. virtio-rng has >> >>> shipped. This code is also dumb. >> >> Ok, but since the discussion is in public list, no need for CVE then. >> > Wrong. CVEs are useful even for publicly disclosed bugs. It tells >> > people whether they need to upgrade in order to avoid a vulnerability. >> > >> > What we don't need is embargo. But we do need a CVE. >> > >> >> True, thanks for the correction. > > I think we never shipped QEMU release with this bug. So no need for > CVEs. I'm not sure upstream has to bother with CVEs - we can just say > this is downstream work.
Uh, we certainly do. QEMU 1.4 had virtio-rng and therefore had this bug so we need to allocate a CVE. Regards, Anthony Liguori > > -- > MST
