From: Kevin Wolf <kwolf@redhat.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Jack Schwartz <jack.schwartz@oracle.com>,
qemu-devel@nongnu.org, ehabkost@redhat.com,
daniel.kiper@oracle.com, mst@redhat.com, pbonzini@redhat.com,
rth@twiddle.net, ppandit@redhat.com, qemu-stable@nongnu.org
Subject: Re: [Qemu-devel] CVE-2018-7550 (was: multiboot: bss_end_addr can be zero / cleanup)
Date: Wed, 14 Mar 2018 19:01:40 +0100 [thread overview]
Message-ID: <20180314180140.GB4764@localhost.localdomain> (raw)
In-Reply-To: <7F85C9E4-D04F-474C-A8E3-2EAFC5B864B9@oracle.com>
Am 14.03.2018 um 18:35 hat Konrad Rzeszutek Wilk geschrieben:
> On March 14, 2018 1:23:51 PM EDT, Kevin Wolf <kwolf@redhat.com> wrote:
> >Am 21.12.2017 um 18:25 hat Jack Schwartz geschrieben:
> >> Properly account for the possibility of multiboot kernels with a zero
> >> bss_end_addr. The Multiboot Specification, section 3.1.3 allows for
> >> kernels without a bss section, by allowing a zeroed bss_end_addr
> >multiboot
> >> header field.
> >>
> >> Do some cleanup to multiboot.c as well:
> >> - Remove some unused variables.
> >> - Use more intuitive header names when displaying fields in messages.
> >> - Change fprintf(stderr...) to error_report
> >
> >[ Cc: qemu-stable ]
> >
> >This series happens to fix CVE-2018-7550.
> >http://www.openwall.com/lists/oss-security/2018/03/08/4
> >
> >Just a shame that we weren't told before merging it so that the
> >appropriate tags could have been set in the commit message (and all of
> >the problems could have been addressed; I'm going to send another
> >Multiboot series now).
>
> Huh?
>
> You mean the CVE tags that were created in 2018 for a patch posted in
> 2017?
Well, it seems to me that this patch was created for a different
purpose, but it happens to fix the bug for which this CVE was assigned
now. It's not your or Jack's fault, that's just how things go sometimes.
I think PJP knew that this CVE was coming before the patches were merged
into master, so if he had told us, we could have had a better commit
message. But either way, it's not a disaster to have a suboptimal commit
message.
> Or that the reporter of the security issue didn't point to this particular patch?
>
> Irrespective of that, is there a write-up of how security process
> works at QEMU?
>
> That is what is the usual embargo period, the list of security folks,
> how one can become one, what are the responsibilities, how changes to
> process are being carried out (and discussed), what breath of testing
> and PoC work is done , how security fixes are being reviewed, etc?
I don't think a problem like this would be embargoed at all. Anyway,
have a look here:
https://wiki.qemu.org/SecurityProcess
Kevin
next prev parent reply other threads:[~2018-03-14 18:01 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-21 17:25 [Qemu-devel] [PATCH QEMU v1 0/4] multiboot: bss_end_addr can be zero / cleanup Jack Schwartz
2017-12-21 17:25 ` [Qemu-devel] [PATCH QEMU v1 1/4] multiboot: bss_end_addr can be zero Jack Schwartz
2018-03-07 7:18 ` P J P
2017-12-21 17:25 ` [Qemu-devel] [PATCH QEMU v1 2/4] multiboot: Remove unused variables from multiboot.c Jack Schwartz
2018-03-07 7:20 ` P J P
2017-12-21 17:25 ` [Qemu-devel] [PATCH QEMU v1 3/4] multiboot: Use header names when displaying fields Jack Schwartz
2018-03-07 7:25 ` P J P
2017-12-21 17:25 ` [Qemu-devel] [PATCH QEMU v1 4/4] multiboot: fprintf(stderr...) -> error_report() Jack Schwartz
2018-03-07 7:40 ` P J P
2018-01-12 18:28 ` [Qemu-devel] ping: Re: [PATCH QEMU v1 0/4] multiboot: bss_end_addr can be zero / cleanup Jack Schwartz
2018-01-15 15:54 ` [Qemu-devel] " Kevin Wolf
2018-01-17 20:06 ` Jack Schwartz
2018-01-18 11:35 ` Kevin Wolf
2018-01-18 13:03 ` Daniel P. Berrange
2018-01-19 18:36 ` Anatol Pomozov
2018-01-20 0:18 ` Jack Schwartz
2018-01-22 9:57 ` Daniel P. Berrange
2018-03-02 19:32 ` Jack Schwartz
2018-03-05 8:13 ` Kevin Wolf
2018-03-07 1:52 ` Jack Schwartz
2018-03-07 11:14 ` Kevin Wolf
2018-03-14 17:23 ` [Qemu-devel] CVE-2018-7550 (was: multiboot: bss_end_addr can be zero / cleanup) Kevin Wolf
2018-03-14 17:35 ` Konrad Rzeszutek Wilk
2018-03-14 18:01 ` Kevin Wolf [this message]
2018-03-15 6:13 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180314180140.GB4764@localhost.localdomain \
--to=kwolf@redhat.com \
--cc=daniel.kiper@oracle.com \
--cc=ehabkost@redhat.com \
--cc=jack.schwartz@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).