Your message dated Sat, 25 May 2024 22:17:10 +0000
with message-id <e1sazho-00f8kv...@fasolo.debian.org>
and subject line Bug#1068819: fixed in qemu 1:7.2+dfsg-7+deb12u6
has caused the Debian Bug report #1068819,
regarding qemu: CVE-2024-26327 CVE-2024-26328
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068819: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068819
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: qemu
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for qemu.
CVE-2024-26327[0]:
| An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
| hw/pci/pcie_sriov.c mishandles the situation where a guest writes
| NumVFs greater than TotalVFs, leading to a buffer overflow in VF
| implementations.
CVE-2024-26328[1]:
| An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
| hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and
| thus interaction with hw/nvme/ctrl.c is mishandled.
https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org
Introduced by:
https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6
(v7.0.0-rc0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26327
https://www.cve.org/CVERecord?id=CVE-2024-26327
[1] https://security-tracker.debian.org/tracker/CVE-2024-26328
https://www.cve.org/CVERecord?id=CVE-2024-26328
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:7.2+dfsg-7+deb12u6
Done: Michael Tokarev <m...@tls.msk.ru>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 May 2024 08:44:38 +0300
Source: qemu
Architecture: source
Version: 1:7.2+dfsg-7+deb12u6
Distribution: bookworm
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Closes: 1068819 1068820 1068821
Changes:
qemu (1:7.2+dfsg-7+deb12u6) bookworm; urgency=medium
.
* update to upstream 7.2.11 stable/bugfix release, v7.2.11.diff,
https://gitlab.com/qemu-project/qemu/-/commits/v7.2.11 :
- Update version for 7.2.11 release
- ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS.
- ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs.
- target/sh4: add missing CHECK_NOT_DELAY_SLOT
- hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set
(Closes: #1068821, CVE-2024-3447)
- hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
- hw/net/lan9118: Fix overflow in MIL TX FIFO
- backends/cryptodev: Do not abort for invalid session ID
- hw/misc/applesmc: Fix memory leak in reset() handler
- hw/block/nand: Fix out-of-bound access in NAND block buffer
- hw/block/nand: Have blk_load() take unsigned offset and return boolean
- hw/block/nand: Factor nand_load_iolen() method out
- qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo
- hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs
(Closes: #1068820, CVE-2024-3446)
- hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs
(Closes: #1068820, CVE-2024-3446)
- hw/display/virtio-gpu: Protect from DMA re-entrancy bugs
(Closes: #1068820, CVE-2024-3446)
- hw/virtio: Introduce virtio_bh_new_guarded() helper
- linux-user: Fix waitid return of siginfo_t and rusage
- tcg/optimize: Do not attempt to constant fold neg_vec
- hw/virtio: Fix packed virtqueue flush used_idx
- hw/net/virtio-net: fix qemu set used ring flag even vhost started
- hw/intc/arm_gicv3: ICC_HPPIR* return SPURIOUS if int group is disabled
- gitlab-ci/cirrus: switch from 'master' to 'latest'
- target/hppa: Clear psw_n for BE on use_nullify_skip path
- tcg/optimize: Fix sign_mask for logical right-shift
- virtio-net: Fix vhost virtqueue notifiers for RSS
- monitor/hmp-cmds-target: Append a space in error message in gpa2hva()
- hw/scsi/scsi-generic: Fix io_timeout property not applying
- target/loongarch: Fix qemu-system-loongarch64 assert failed
with the option '-d int'
- target/i386: Revert monitor_puts() in do_inject_x86_mce()
- target/i386: fix direction of "32-bit MMU" test
- target/i386: use separate MMU indexes for 32-bit accesses
- target/i386: introduce function to query MMU indices
- tests: Raise timeouts for bufferiszero and crypto-tlscredsx509
- tests/unit: Bump test-replication timeout to 60 seconds
- tests/unit: Bump test-crypto-block test timeout to 5 minutes
- tests/unit: Bump test-aio-multithread test timeout to 2 minutes
- migration: Skip only empty block devices
- hmat acpi: Fix out of bounds access due to missing use of indirection
- pcie_sriov: Validate NumVFs
(Closes: #1068819, CVE-2024-26327)
- hw/nvme: Use pcie_sriov_num_vfs()
(Closes: #1068819, CVE-2024-26328)
- pcie: Introduce pcie_sriov_num_vfs
- hw/nvme: add machine compatibility parameter to enable msix exclusive bar
- hw/nvme: generalize the mbar size helper
- hw/nvme: separate 'serial' property for VFs
- hw/nvme: cleanup error reporting in nvme_init_pci()
- hw/nvme: clean up confusing use of errp/local_err
- Avoid unaligned fetch in ladr_match()
- e1000e: fix link state on resume
- make-release: switch to .xz format by default
- hw/scsi/lsi53c895a: add timer to scripts processing
- hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
- hw/scsi/lsi53c895a: stop script on phase mismatch
- system/qdev-monitor: move drain_call_rcu call
under if (!dev) in qmp_device_add()
- hw/rtc/sun4v-rtc: Relicense to GPLv2-or-later
- target/arm: Fix SME full tile indexing
- tests/tcg/aarch64/sysregs.c: Use S syntax for
id_aa64zfr0_el1 and id_aa64smfr0_el1
- target/arm: align exposed ID registers with Linux
- ui/cocoa: Fix window clipping on macOS 14
- gitlab: update FreeBSD Cirrus CI image to 13.3
* update to upstream 7.2.10 stable/bugfix release, v7.2.10.diff,
https://gitlab.com/qemu-project/qemu/-/commits/v7.2.10 :
- Update version for 7.2.10 release
- target/i386: the sgx_epc_get_section stub is reachable
- tests/unit/test-blockjob: Disable complete_in_standby test
- tests/qtest/display-vga-test: Add proper checks if a device is available
- test-vmstate: fix bad GTree usage, use-after-free
- tests/unit/test-util-sockets: Remove temporary file after test
- hw/usb/bus.c: PCAP adding 0xA in Windows version
- gitlab: force allow use of pip in Cirrus jobs
- tests/vm: avoid re-building the VM images all the time
- tests/vm: update openbsd image to 7.4
- target/i386: leave the A20 bit set in the final NPT walk
- target/i386: remove unnecessary/wrong application of the A20 mask
- target/i386: Fix physical address truncation
- target/i386: check validity of VMCB addresses
- target/i386: mask high bits of CR3 in 32-bit mode
- pl031: Update last RTCLR value on write in case it's read back
- hw/nvme: fix invalid endian conversion
- target/ppc: Fix lxv/stxv MSR facility check
- .gitlab-ci.d/windows.yml: Drop msys2-32bit job
- system/vl: Update description for input grab key
- docs/system: Update description for input grab key
- audio: Depend on dbus_display1_dep
- meson: ensure dbus-display generated code is built before other units
- ui/console: Fix console resize with placeholder surface
- ui/clipboard: add asserts for update and request
- ui/clipboard: mark type as not available when there is no data
(Closes: CVE-2023-6683, already fixed in debian)
- ui: reject extended clipboard message if not activated
- target/i386: Generate an illegal opcode exception on cmp instructions
with lock prefix
- i386/cpuid: Move leaf 7 to correct group
- i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
- i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and
FEAT_XSAVE_XSS_HI leafs
- i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE
is not available
- iotests: Make 144 deterministic again
- target/arm: Don't get MDCR_EL2 in pmu_counter_enabled()
before checking ARM_FEATURE_PMU
- target/arm: Fix SVE/SME gross MTE suppression checks
- target/arm: Fix nregs computation in do_{ld,st}_zpa
- linux-user/aarch64: Choose SYNC as the preferred MTE mode
- tests/acpi: Update DSDT.cxl to reflect change _STA return value.
- hw/i386: Fix _STA return value for ACPI0017
- tests/acpi: Allow update of DSDT.cxl
- smmu: Clear SMMUPciBus pointer cache when system reset
- virtio_iommu: Clear IOMMUPciBus pointer cache when system reset
- hw/cxl: Pass CXLComponentState to cache_mem_ops
- cxl/cdat: Fix header sum value in CDAT checksum
- cxl/cdat: Handle cdat table build errors
- vhost-user.rst: Fix vring address description
- hw/smbios: Fix port connector option validation
- hw/smbios: Fix OEM strings table option validation
- pci-host: designware: Limit value range of iATU viewport register
- qemu-options.hx: Improve -serial option documentation
- system/vl.c: Fix handling of '-serial none -serial something'
- target/arm: fix exception syndrome for AArch32 bkpt insn
- block/blkio: Make s->mem_region_alignment be 64 bits
- qemu-docs: Update options for graphical frontends
- migration: Fix use-after-free of migration state object
* d/patches: remove
revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch
This one turned out to be innocent, cryptsetup CI fails anyway.
* d/patches: remove now included upstream
ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch
* d/changelog: mention previous CVE fixes:
- CVE-2023-3019 fixed by 7.2+dfsg-7+deb12u4
- CVE-2024-24474 & CVE-2023-5088 fixed by 7.2+dfsg-7+deb12u3
- CVE-2023-3301 fixed by 7.2+dfsg-7+deb12u1
Checksums-Sha1:
aa68e7378e49b5e34a33d19442ba4f4e7dde4ced 6482 qemu_7.2+dfsg-7+deb12u6.dsc
3eb6b9c9b2521a41a1ac83d38460dea80c61a1fb 279820
qemu_7.2+dfsg-7+deb12u6.debian.tar.xz
57bb6f17ba44d8be320e74602d00f533252ebf46 19358
qemu_7.2+dfsg-7+deb12u6_source.buildinfo
Checksums-Sha256:
9d4b0990e394dea6c7b929006ec2c8ef915f429d0433cf33104036aa6230e252 6482
qemu_7.2+dfsg-7+deb12u6.dsc
98b3786d502b0e980c94c35f9edb1c9f63ef029ee8296ed2b9d5f9ebecdc6606 279820
qemu_7.2+dfsg-7+deb12u6.debian.tar.xz
71cd03fa51027339430f684eea95d84fe59e9d216cbfa750d7f847398964cc70 19358
qemu_7.2+dfsg-7+deb12u6_source.buildinfo
Files:
af18503a9b6e90138db051da3ea2d297 6482 otherosfs optional
qemu_7.2+dfsg-7+deb12u6.dsc
829eac8c2a8d4b0fc1ef69bd40b7bb52 279820 otherosfs optional
qemu_7.2+dfsg-7+deb12u6.debian.tar.xz
6d071aee8e8c27397982d5bb274a2dbd 19358 otherosfs optional
qemu_7.2+dfsg-7+deb12u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmZOEmoPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Zce4IAMeZRwk3utWX5itjkvJg1Wtk5pLtkSkgLwcH
JEeqkddhK5MPNQJIEMkEvvmQ+npf4Qlp0+2MoWT5z4VU332F8Fqb3ILilkP4krzq
R8d+pNm6GV1qK4ZGql7jErX6iUOZvLkUydd5HPLnp+DHlwpjUM93hDg8Q9uH5Tb7
pn2e0bhFMahLD0nleeiu1zXPAjY8hJFmsn/UXVxz7FNN20Mt5y14L4ywQaznsZnk
CKWgCHaseEm2wuK8+vWn4qAeK6nminY226+zK34d6vIEMn1AZuNN70wuwciHKXs+
DV1ETAMoIWeNlSl55p/HwcAMCMSYQwrgyYBl16rBvZ7zBiIYZSQ=
=B8oi
-----END PGP SIGNATURE-----
pgpxGb6KmmtHf.pgp
Description: PGP signature
--- End Message ---
