"Dr. David Alan Gilbert" <dgilb...@redhat.com> writes: > * 江芳杰 (18401698...@126.com) wrote: >> Hi: >> Sorry to bother you~ >> I have read the discussions about CVE--2019-12928 ( >> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01153.html). >> But, for the scenario of PC users, which is no requirement of network access >> to QMP, there are some mitigating proposes. >> 1. Modify the compilation options to disable QMP. >> 2. Modify command line parsing function to discard the QMP parameters with >> network configurations. >> 3. PC manager or other manage software make sure only the trusted user can >> use QMP. >> 4. Other ideas? > > QMP is a useful part of QEMU - so we don't want to do 1 - we need it to > let things control QEMU; including configuring complex setups.
Compiling out QMP gains you exactly nothing unless you also compile out HMP. And then you're left without a way to monitor a running QEMU. Similarly useful (but not nearly as secure) as not running QEMU at all ;) > The important part is (3) - anything that runs a qemu must make sure it > wires the QMP up securely; e.g. using unix sockets with appropriate > permissions or something like that. > > As long as they do that, then we're fine. Yup. Regarding 4.: making insecure misconfiguration harder might be worth exploring.