[Qemu-devel] [PATCH 0/1] multiboot.c: Document as fixed against CVE-2018-7550

[Qemu-devel] [PATCH 0/1] multiboot.c: Document as fixed against CVE-2018-7550

[Jack Schwartz]

Some changes were delivered a few weeks ago that fixed CVE-2018-7550
before that CVE was created.  Changeset:
    2a8fcd119eb7 ("multiboot: bss_end_addr can be zero")

Shortly after that delivery, a different changeset claimed in its commit
message to fix that CVE, but it really fixed a different one.  Changeset:
    7cdc61becd09 ("vga: fix region calculation")
PJP says the proper CVE is CVE-2018-7858
https://bugzilla.redhat.com/show_bug.cgi?id=1553402

Not sure what the proper protocol is for getting this all straightened
out, but I would like to help since I delivered the multiboot changes.

This patch set contains an empty patch with a commit message to document
the multiboot changes.  Please add it to the repo as you see fit, or let
me know if you need something else from me to resolve this differently.

Note that unless the vga CVE is explained/corrected, people may get
confused when they see different fixes associated with the same CVE.

	Thanks,
	Jack

Jack Schwartz (1):
  multiboot.c: Document as fixed against CVE-2018-7550

-- 
1.8.3.1

[Qemu-devel] [PATCH 1/1] multiboot.c: Document as fixed against CVE-2018-7550

[Jack Schwartz]

This empty commit documents multiboot.c as fixed against CVE-2018-7550.
The fix, dated Dec 21 2017, went in before the CVE was created, as:
        2a8fcd119eb7 ("multiboot: bss_end_addr can be zero")

Fixes: CVE-2018-7550
Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com>
Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
-- 
1.8.3.1