qemu: Review security patches between 3.1.0 and 4.0.0.

Description

OpenXT stable-9 uses QEMU 3.1.0 release. Review changes between 3.1.0 and 4.0.0 (latest QEMU release at the time of this ticket) and identify security changes that would require backport.

Validation Steps

  1. Regression.

Activity

Show:
Eric Chanudet
June 10, 2019, 6:37 PM

Discussed during community call on 06/10/2019.

Search in the change history reveals two CVEs:

  • CVE-2018-16872: bab9df35ce73d1c8e19a37e2737717ea1c984dc1

    • Not used in OpenXT (usb-mtp).

  • CVE-2019-8934: 27461d69a0f108dea756419251acc3ea65198f1b

    • hw/ppc/spapr.c emulation only

    • Not used in OpenXT.

Nicholas Tsirakis
June 25, 2019, 5:13 PM

Confirmed with that no CVEs are needed for QEMU as OpenXT does not utilize any of the associated features. reviewed the potential CVEs for edk2 (specifically for OVMF) and did not find anything either. Closing.

Done

Assignee

Unassigned

Reporter

Eric Chanudet

Labels

None

QA Assignee

Nicholas Tsirakis

QA Image URL

None

Epic Link

Components

Fix versions

Priority

Critical
Configure