Please excuse me for this really long delay with the answer. 16.06.2013 23:29, Michael Gilbert wrote: > On Wed, Jun 5, 2013 at 1:12 PM, Michael Tokarev wrote: >> 02.06.2013 22:53, Michael Gilbert wrote: >>> Package: qemu >>> Severity: serious >>> version: 1.5.0+dfsg-1 >>> Tags: security >>> >>> Hi, >>> An out-of-bounds issue in virtio was published for qemu: >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 >> >> Hmm. Now I'm really confused. >> >> Upstream version 1.5.0 includes the fix for this issue, so >> filing the bug against 1.5.0+dfsg-1 package is kind of wrong. >> The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d >> which was applied past 1.5.0~rc0. > > Is that a complete fix? The suggested patch in the redhat bug [0] > also adds checks to virtio-pci.c, which is what I had used for > reference when checking whether this was fixed or not, and that is not > applied in the debian package yet.
The fix referred to from that redhat bugreport (which is here -- https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html or http://thread.gmane.org/gmane.comp.emulators.qemu/208677 ) was a suggested patch. After which some discussion emerged (see the thread on gmane), and another, V2 version of the same patch were sent, which is here -- http://patchwork.ozlabs.org/patch/241991/ or http://thread.gmane.org/gmane.comp.emulators.qemu/210292 -- which has been applied as 5f5a1318653c08e, which is included in 1.5.0-rc1 and up. Thanks, /mjt > [0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org