Control: severity -1 minor 10.10.2013 11:33, Moritz Muehlenhoff wrote:
Package: qemu Severity: grave Tags: security Justification: user security hole
Yes, this is a security hole, but it is a _configuration_ security hole. The administrator/user of qemu should configure more than 256 luns. In other, simpler words, qemu have to run with 256 -drive parameters for the guest to be able to trigger the overflow. (Or this can be added dynamically using drive_add qemu monitor command - still not from within guest). Such configurations are EXTREMLY uncommon, actually I highly doubt they exist in practice at all. That's the reason I questioned validity of this CVE# assignment, and also why I didn't submit this bugreport to debian (I knew about it for quite some time already). Maybe I don't understand something, in this case the severity should be upped again. Thanks, /mjt
this was assigned CVE-2013-4344: http://thread.gmane.org/gmane.comp.emulators.qemu/237161 Patch: http://article.gmane.org/gmane.comp.emulators.qemu/237163 Cheers, Moritz
-- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
