On Fri, Apr 26, 2013 at 06:33:33PM +0800, Jason Wang wrote: > On 04/26/2013 06:32 PM, Eric Blake wrote: > > On 04/25/2013 11:06 PM, Jason Wang wrote: > >>>> if (addr > (vdev->config_len - sizeof(val))) > >>>> > >>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0 :) > >>> Then we need to fix these bugs and allocate a CVE. virtio-rng has > >>> shipped. This code is also dumb. > >> Ok, but since the discussion is in public list, no need for CVE then. > > Wrong. CVEs are useful even for publicly disclosed bugs. It tells > > people whether they need to upgrade in order to avoid a vulnerability. > > > > What we don't need is embargo. But we do need a CVE. > > > > True, thanks for the correction.
I think we never shipped QEMU release with this bug. So no need for CVEs. I'm not sure upstream has to bother with CVEs - we can just say this is downstream work. -- MST
