* cve patch wanted
@ 2020-07-11 12:28 林奕帆
2020-07-13 8:16 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 5+ messages in thread
From: 林奕帆 @ 2020-07-11 12:28 UTC (permalink / raw)
To: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 232 bytes --]
Hello
I am a student from Fudan University in China. I am doing research on CVE patch recently. But i can not find the PATCH COMMIT of CVE-2019-12247 cve-2019-12155 cve-2019-6778.Can you give me the commit fix this cve?
[-- Attachment #2: Type: text/html, Size: 256 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cve patch wanted
2020-07-11 12:28 cve patch wanted 林奕帆
@ 2020-07-13 8:16 ` Philippe Mathieu-Daudé
2020-07-13 8:30 ` Marc-André Lureau
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-07-13 8:16 UTC (permalink / raw)
To: 林奕帆,
qemu-devel, Gerd Hoffmann, Samuel Thibault,
Marc-André Lureau, Prasad J Pandit, Michael Roth
Hi,
On 7/11/20 2:28 PM, 林奕帆 wrote:
> Hello
> I am a student from Fudan University in China. I am doing research on
> CVE patch recently. But i can not find the PATCH COMMIT of
> CVE-2019-12247 cve-2019-12155 cve-2019-6778.Can you give me the commit
> fix this cve?
* CVE-2019-12247
I don't know about this one, maybe related to CVE-2018-12617 fixed
by commit 1329651fb4 ("qga: Restrict guest-file-read count to 48 MB")
Cc'ing Michael for CVE-2019-12247.
* CVE-2019-12155
I don't have access to the information (still marked 'private'
one year after), but I *guess* it has been fixed by commit
d52680fc93 ("qxl: check release info object").
Cc'ing Gerd and Prasad.
* CVE-2019-6778
This one is in SLiRP, Cc'ing Samuel and Marc-André.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cve patch wanted
2020-07-13 8:16 ` Philippe Mathieu-Daudé
@ 2020-07-13 8:30 ` Marc-André Lureau
2020-07-13 12:24 ` P J P
2020-07-13 22:40 ` Michael Roth
2 siblings, 0 replies; 5+ messages in thread
From: Marc-André Lureau @ 2020-07-13 8:30 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Prasad J Pandit, Michael Roth, qemu-devel, Gerd Hoffmann,
Samuel Thibault, 林奕帆
Hi
On Mon, Jul 13, 2020 at 12:16 PM Philippe Mathieu-Daudé
<philmd@redhat.com> wrote:
> * CVE-2019-6778
>
> This one is in SLiRP, Cc'ing Samuel and Marc-André.
I was about to send a patch to update slirp to 4.3.1. Note that this
particular CVE should be fixed since 4.1, where "emu" support is
disabled.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cve patch wanted
2020-07-13 8:16 ` Philippe Mathieu-Daudé
2020-07-13 8:30 ` Marc-André Lureau
@ 2020-07-13 12:24 ` P J P
2020-07-13 22:40 ` Michael Roth
2 siblings, 0 replies; 5+ messages in thread
From: P J P @ 2020-07-13 12:24 UTC (permalink / raw)
To: 林奕帆,
qemu-devel, Gerd Hoffmann, Samuel Thibault,
Marc-André Lureau, Michael Roth, Philippe Mathieu-Daudé
Hello all,
Thank you Philippe for looping me in.
On Monday, 13 July, 2020, 1:46:45 pm IST, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
7/11/20 2:28 PM, 林奕帆 wrote:
> I am a student from Fudan University in China. I am doing research on
> CVE patch recently. But i can not find the PATCH COMMIT of
> CVE-2019-12247 cve-2019-12155 cve-2019-6778.Can you give me the commit
> fix this cve?
CVE-2019-12155 QEMU: qxl: null pointer dereference while releasing spice resources
-> https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
-> https://www.openwall.com/lists/oss-security/2019/05/22/1
CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_emu()
-> https://www.openwall.com/lists/oss-security/2019/01/24/5
-> https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html
This slirp patch is merged upstream. IIRC, after its merger SLiRP code moved into a new repository
will have to dig through git logs/history to find patch link/URL.
CVE-2019-12247 QEMU: qemu-guest-agent: integer overflow while running guest-exec command
-> https://www.openwall.com/lists/oss-security/2019/05/22/4
-> https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html
@Michael: Looks like 'CVE-2019-12247' patch above was not merged...? Any idea?
Thank you.
---
-P J P
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: cve patch wanted
2020-07-13 8:16 ` Philippe Mathieu-Daudé
2020-07-13 8:30 ` Marc-André Lureau
2020-07-13 12:24 ` P J P
@ 2020-07-13 22:40 ` Michael Roth
2 siblings, 0 replies; 5+ messages in thread
From: Michael Roth @ 2020-07-13 22:40 UTC (permalink / raw)
To: 林奕帆,
Marc-André Lureau, Philippe Mathieu-Daudé,
Gerd Hoffmann, Prasad J Pandit, Samuel Thibault, qemu-devel
Quoting Philippe Mathieu-Daudé (2020-07-13 03:16:37)
> Hi,
>
> On 7/11/20 2:28 PM, 林奕帆 wrote:
> > Hello
> > I am a student from Fudan University in China. I am doing research on
> > CVE patch recently. But i can not find the PATCH COMMIT of
> > CVE-2019-12247 cve-2019-12155 cve-2019-6778.Can you give me the commit
> > fix this cve?
>
> * CVE-2019-12247
>
> I don't know about this one, maybe related to CVE-2018-12617 fixed
> by commit 1329651fb4 ("qga: Restrict guest-file-read count to 48 MB")
> Cc'ing Michael for CVE-2019-12247.
For CVE-2019-12247 is was determined the existing limits for input to
QEMU's QMP parser make it non-exploitable:
https://bugzilla.redhat.com/show_bug.cgi?id=1712834
A patch to enforce/document some set limits rather than relying on
parser error messages (like what was done with 1329651fb4 for CVE-2018-12617)
might be nice, but it doesn't appear to be a security risk.
>
> * CVE-2019-12155
>
> I don't have access to the information (still marked 'private'
> one year after), but I *guess* it has been fixed by commit
> d52680fc93 ("qxl: check release info object").
> Cc'ing Gerd and Prasad.
>
> * CVE-2019-6778
>
> This one is in SLiRP, Cc'ing Samuel and Marc-André.
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-13 23:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-11 12:28 cve patch wanted 林奕帆
2020-07-13 8:16 ` Philippe Mathieu-Daudé
2020-07-13 8:30 ` Marc-André Lureau
2020-07-13 12:24 ` P J P
2020-07-13 22:40 ` Michael Roth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).