On Mon, Jan 11, 2021 at 11:43:53PM +0800, 江芳杰 wrote: > Hi: > Sorry to bother you~ > I have read the discussions about CVE--2019-12928 ( > https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01153.html). > But, for the scenario of PC users, which is no requirement of network access > to QMP, there are some mitigating proposes. > 1. Modify the compilation options to disable QMP. > 2. Modify command line parsing function to discard the QMP parameters with > network configurations. > 3. PC manager or other manage software make sure only the trusted user can > use QMP. > 4. Other ideas?
No code changes are required at all. The described scenario was simply a user mis-configuration. In rare case there can be valid reasons to use QMP on a public IP address, but anyone doing so must ensure their usage is secure. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
