On Thu, Aug 31, 2023 at 3:57 PM Daniel P. Berrangé <berra...@redhat.com> wrote: > > On Thu, Aug 31, 2023 at 03:40:25PM +0200, Philippe Mathieu-Daudé wrote: > > Hi Samuel, > > > > On 31/8/23 14:48, Samuel Henrique wrote: > > > CVE-2020-24165 was assigned to this: > > > https://nvd.nist.gov/vuln/detail/CVE-2020-24165 > > > > > > I had no involvement in the assignment, posting here for reference only. > > > > > > ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24165 > > > > QEMU 4.2.0 was released in 2019. The issue you report > > has been fixed in commit 886cc68943 ("accel/tcg: fix race > > in cpu_exec_step_atomic (bug 1863025)") which is included > > in QEMU v5.0, released in April 2020, more than 3 years ago. > > > > What do you expect us to do here? I'm not sure whether assigning > > CVE for 3 years old code is a good use of engineering time. > > In any case per our stated security policy, we do not consider TCG to > be providing a security boundary between host and guest, and thus bugs > in TCG aren't considered security flaws: > > > https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case
Right, and it is clearly indicated in the referenced launchpad bug: 'The security list informed me "This can not be treated as a security issue"'. This adds up to CVE-2022-36648, which is also a mystery to me in terms of CVE assignment and CVSS scoring (rated as Critical). I don't know what's going on with NVD, there must be something wrong on their side. I disputed both CVEs via https://cveform.mitre.org/. > With regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
