* 江芳杰 (18401698...@126.com) wrote: > Hi: > Sorry to bother you~ > I have read the discussions about CVE--2019-12928 ( > https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01153.html). > But, for the scenario of PC users, which is no requirement of network access > to QMP, there are some mitigating proposes. > 1. Modify the compilation options to disable QMP. > 2. Modify command line parsing function to discard the QMP parameters with > network configurations. > 3. PC manager or other manage software make sure only the trusted user can > use QMP. > 4. Other ideas?
QMP is a useful part of QEMU - so we don't want to do 1 - we need it to let things control QEMU; including configuring complex setups. The important part is (3) - anything that runs a qemu must make sure it wires the QMP up securely; e.g. using unix sockets with appropriate permissions or something like that. As long as they do that, then we're fine. Dave -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
