On 28.01.2012 03:04, Matt Kraai wrote: > Hi, > > I've attached a patch that should fix this problem to this message. > It's based on the patch used to fix this problem in unstable, which > doesn't apply cleanly to the stable version. I wasn't sure what do to > about the patch headers, so I left them unchanged. Should I upload a > fixed package somewhere?
See DSA 2396-1 which were issued about 5 hours ago. The fixed stable version is already available in debian security archives. Also, http://anonscm.debian.org/gitweb/?p=collab-maint/qemu-kvm.git;a=shortlog;h=refs/heads/squeeze and in particular, http://anonscm.debian.org/gitweb/?p=collab-maint/qemu-kvm.git;a=blob;f=debian/patches/e1000-bounds-packet-size-against-buffer-size-CVE-2012-0029.diff;h=91ab34c2ee49499706aedc70618139ccc9d95923;hb=59e1ee22261dbc793282f61c9ed12bfd56d7c056 The difference between 1.0 and 0.12 version is cpu_physical_memory_read that's used in 0.12 vs pci_dma_read() used in later version, and 13-line offset. Thanks, /mjt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

