On 01/12/20 16:30, Peter Maydell wrote:
On Tue, 1 Dec 2020 at 15:28, Philippe Mathieu-Daudé <phi...@redhat.com> wrote:
About reproducer, Michael asked about CVE-2020-24352 (ati_vga OOB in
ati_2d_blt) this morning. What happens to reproducers when a CVE is
assigned, but the bug is marked as "out of the QEMU security boundary"?
Also, why are we assigning CVEs for bugs we don't consider security bugs?
Sometimes CVEs are requested by other entities even before reaching the
QEMU security mailing list.
Paolo
