Your message dated Tue, 16 Dec 2025 08:29:31 +0300
with message-id <[email protected]>
and subject line Re: Bug##1119917: qemu: CVE-2025-12464: stack-based buffer
overflow in e1000 network device via loopback code path
has caused the Debian Bug report #1119917,
regarding qemu: CVE-2025-12464: stack-based buffer overflow in e1000 network
device via loopback code path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119917: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119917
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.1.2+ds-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/qemu-project/qemu/-/issues/3043
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-12464[0]:
| A stack-based buffer overflow was found in the QEMU e1000 network
| device. The code for padding short frames was dropped from
| individual network devices and moved to the net core code. The issue
| stems from the device's receive code still being able to process a
| short frame in loopback mode. This could lead to a buffer overrun in
| the e1000_receive_iov() function via the loopback code path. A
| malicious guest user could use this vulnerability to crash the QEMU
| process on the host, resulting in a denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-12464
https://www.cve.org/CVERecord?id=CVE-2025-12464
[1] https://gitlab.com/qemu-project/qemu/-/issues/3043
[2]
https://lore.kernel.org/qemu-devel/[email protected]/T/#u
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 1:10.1.3+ds-1
On Sun, 02 Nov 2025 11:54:32 +0100 Salvatore Bonaccorso
<[email protected]> wrote:
Source: qemu
Version: 1:10.1.2+ds-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/qemu-project/qemu/-/issues/3043
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2025-12464[0]:
| A stack-based buffer overflow was found in the QEMU e1000 network
| device. The code for padding short frames was dropped from
| individual network devices and moved to the net core code. The issue
| stems from the device's receive code still being able to process a
| short frame in loopback mode. This could lead to a buffer overrun in
| the e1000_receive_iov() function via the loopback code path. A
| malicious guest user could use this vulnerability to crash the QEMU
| process on the host, resulting in a denial of service.
This is fixed in v10.1.3 stable/bugfix release.
Thanks,
/mjt
--- End Message ---
