13.11.2014 20:39, Salvatore Bonaccorso wrote: > Source: qemu > Version: 1.1.2+dfsg-6a > Severity: important > Tags: security upstream > > Hi Debian QEMU team, > > the following vulnerability was published for qemu, choosed important > severity but actually might be downgraded to normal. > > CVE-2014-7840[0]: > insufficient parameter validation during ram load
It is the same thing as #739589 (insufficient input validation during state load) -- new and more exciting ways to exploit this are found all the time... (I mean, it is another issue of the same sort, not something which has already been fixed in debian). We decided we will not try to fix this in wheezy - either all of the issues should be fixed or none, there's no reason to fix some but ignore others. We also decided this is a not very important issue, because it only happens when you allow untrusted parties to send you guest memory state which is rather uncommon (see comments in that bugreport). Yes it affects wheezy version, but it is wontfix for wheezy for the above reason. And yes I'll fix it for jessie, the patch in question has been applied to my local qemu git repository yesterday. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
