qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] ide: fix ATAPI command permissions


From: Kevin Wolf
Subject: Re: [Qemu-devel] [PATCH] ide: fix ATAPI command permissions
Date: Tue, 15 Sep 2015 10:26:43 +0200
User-agent: Mutt/1.5.21 (2010-09-15)

Am 14.09.2015 um 20:49 hat John Snow geschrieben:
> On 09/14/2015 02:43 PM, Michael Tokarev wrote:
> > 14.09.2015 21:04, John Snow wrote:
> >> On 09/11/2015 02:56 AM, Michael Tokarev wrote:
> >>> 09.09.2015 19:28, John Snow wrote:
> >>>> We're a little too lenient with what we'll let an ATAPI drive handle.
> >>>> Clamp down on the IDE command execution table to remove CD_OK permissions
> >>>> from commands that are not and have never been ATAPI commands.
> >>>
> >>> FWIW, this issue has been assigned CVE-2015-6855 identifier, which
> >>> can be reflected in the commit message when applying.  Since this
> >>> issue has security impact, it might be a good idea to add
> >>>
> >>> Cc: address@hidden
> >>
> >> I'm still awaiting review/acks, but would you like me to re-send this
> >> patch to trivial, or just fwd/reply-to?
> > 
> > I think it is anything but trivial ;)  Well, the semantics is trivial,
> > but it isn't -trivial material per se.
> > 
> > I suggested add a Cc to qemu-stable, this can be done at commit,
> > together with mentioning the CVE# assigned meanwhile, and I don't
> > know who will commit it, Kevin?
> > 
> > Thanks,
> > 
> > /mjt
> > 
> 
> I'll be sending the pullreq through my tree, but I was waiting on at
> least an ACK or so before I went ahead.
> 
> I can add CC: qemu-stable to the patch on-pull if that's sufficient for you.

Ideally, stable patches should have a "Cc: address@hidden" line
in the commit message, too. Just adding that on pull should be enough.

Also copying the list for this reply so that there is some trace of the
patch on it.

Kevin



reply via email to

[Prev in Thread] Current Thread [Next in Thread]