Some changes were delivered a few weeks ago that fixed CVE-2018-7550
before that CVE was created. Changeset:
2a8fcd119eb7 ("multiboot: bss_end_addr can be zero")
Shortly after that delivery, a different changeset claimed in its commit
message to fix that CVE, but it really fixed a different one. Changeset:
7cdc61becd09 ("vga: fix region calculation")
PJP says the proper CVE is CVE-2018-7858
https://bugzilla.redhat.com/show_bug.cgi?id=1553402
Not sure what the proper protocol is for getting this all straightened
out, but I would like to help since I delivered the multiboot changes.
This patch set contains an empty patch with a commit message to document
the multiboot changes. Please add it to the repo as you see fit, or let
me know if you need something else from me to resolve this differently.
Note that unless the vga CVE is explained/corrected, people may get
confused when they see different fixes associated with the same CVE.
Thanks,
Jack
Jack Schwartz (1):
multiboot.c: Document as fixed against CVE-2018-7550
--
1.8.3.1
