qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC] QEMU Code Audit Team

From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [RFC] QEMU Code Audit Team
Date: Sun, 8 Jan 2012 16:54:03 +0000 
On Sun, Jan 8, 2012 at 2:01 PM, Dor Laor <address@hidden> wrote:
> On 01/06/2012 07:25 PM, Chris Wright wrote:
>>
>> * Corey Bryant (address@hidden) wrote:
>>>
>>> Count me in for step 2.  A good approach may be to run a static
>>> analysis tool against the code, followed by a manual scan of the
>>> code for common vulnerabilities that static analysis can't find.
>>
>>
>> Good idea.  Folks are already running things like Coverity.  The false
>> positive rate is high enough that it's a lot to wade through at first
>> (so extra eyes could be quite helpful here).  Perhaps the people who
>> are involved in this could share some of their findings.
>
>
> Markus already done a pretty extensive review and cleanup using Coverity.
> I'm not sure if he managed to cover all the real issues, have you?
>
> btw: in case a real security flaw is detected, I like to ask the audit
> volunteering folks to report a CVE [1] and not to disclose the info till an
> embargo is raised.

The process I have followed is to raise a Launchpad bug and tick "This
bug is a security vulnerability":
https://bugs.launchpad.net/qemu/+filebug

Either way, there needs to be simple instructions on how to submit
security vulnerability information and who gets to see that
information.

> I think that kvm and qemu need to have a security page like this:
> http://www.webkit.org/security/

Good idea.  Once there is a consensus I can write up a page on qemu.org.

Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]