On Thu, Aug 31, 2023 at 03:40:25PM +0200, Philippe Mathieu-Daudé wrote: > Hi Samuel, > > On 31/8/23 14:48, Samuel Henrique wrote: > > CVE-2020-24165 was assigned to this: > > https://nvd.nist.gov/vuln/detail/CVE-2020-24165 > > > > I had no involvement in the assignment, posting here for reference only. > > > > ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24165 > > QEMU 4.2.0 was released in 2019. The issue you report > has been fixed in commit 886cc68943 ("accel/tcg: fix race > in cpu_exec_step_atomic (bug 1863025)") which is included > in QEMU v5.0, released in April 2020, more than 3 years ago. > > What do you expect us to do here? I'm not sure whether assigning > CVE for 3 years old code is a good use of engineering time.
In any case per our stated security policy, we do not consider TCG to be providing a security boundary between host and guest, and thus bugs in TCG aren't considered security flaws: https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
