Re: CVE-2017-16845 Qemu: ps2: information leakage via post_load routine

[Ian Zimmerman <itz () very loosely org>]

On 2017-11-17 11:14, P J P wrote:

> Upstream patch:
> ---------------
>   -> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html

Hi, what can I do with these QEMU reports?  I can try to apply the
patch, but I have no idea if it will work, because I don't know which
branch or revision it is based on.

By my unscientific counting, there are only 2 other userspace projects
which earn CVEs as frequently as QEMU: openjpeg and graphicsmagick.  In
both these cases, starting with the message posted here and following
the references, I can quickly locate the actual VC commit (in git and
mercurial, respectively) and thus have a sound basis for deciding what
to do: patch, wait for an updated distro package, or fork the distro
package.

Is there a reason why that cannot be done with QEMU?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.