From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v10 01/10] tools: Add vga=vmware
Date: Wed, 20 May 2015 23:52:32 +0100
Message-ID: <555D1030.2020001@citrix.com>
References: <1431646469-23022-1-git-send-email-dslutz@verizon.com>		<1431646469-23022-2-git-send-email-dslutz@verizon.com>		<555532E6.1040608@citrix.com>
	<1431679757.8943.5.camel@citrix.com>
	<555CC717.4010409@one.verizon.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <555CC717.4010409@one.verizon.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 20/05/2015 18:40, Don Slutz wrote:
> On 05/15/15 04:49, Ian Campbell wrote:
>> On Fri, 2015-05-15 at 00:42 +0100, Andrew Cooper wrote:
>>> On 15/05/2015 00:34, Don Slutz wrote:
>>>> This allows use of QEMU's VMware emulated video card
>>>>
>>>> Signed-off-by: Don Slutz <dslutz@verizon.com>
>>> Nack.
>>>
>>> Qemu-trad is currently has remote code execution vulnerabilities in its
>>> vmware vga model.  CVE-2014-3689 amongst others.
>> Maybe we should only be exposing this new functionality with the
>> qemu-upstream model?
>>
>> In general we've not been taking new development to -trad for some time.
>>
> I plan to go with the prevent usage of vga=vmware in
> device_model_version=qemu-xen-traditional
>
>    -Don Slutz

That is perfectly fine from my point of view.  (All I care about is not
exposing known RCEs)

~Andrew