Re: [PATCH] usb: fix setup_len init (CVE-2020-14364)

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] usb: fix setup_len init (CVE-2020-14364)

From:	P J P
Subject:	Re: [PATCH] usb: fix setup_len init (CVE-2020-14364)
Date:	Tue, 1 Sep 2020 10:27:46 +0530 (IST)

  Hello Li,

+-- On Tue, 25 Aug 2020, Li Qiang wrote --+
| Just see the page.
| -->https://access.redhat.com/security/cve/CVE-2020-14364
| 
| The 'Attack Vector' of the CVSS score here is 'local'.
| 
| I think this should be 'network' as the guest user can touch this in cloud 
| environment? What's the consideration here?

  -> 
https://www.first.org/cvss/v3.1/user-guide#3-5-Scope-Vulnerable-Component-and-Impacted-Component

AV:Network or Adjacent is generally used when issue involves network stack. In 
this case it's a usb device r/w operation.


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] usb: fix setup_len init (CVE-2020-14364), P J P <=

Prev by Date: Re: [PATCH] cirrus: handle wraparound in cirrus_invalidate_region
Next by Date: Re: [PATCH] meson: use pkg-config method to find dependencies
Previous by thread: Re: [PATCH] cirrus: handle wraparound in cirrus_invalidate_region
Next by thread: Re: [PATCH] meson: use pkg-config method to find dependencies
Index(es):
- Date
- Thread