Hi Michael, On Tue, Dec 16, 2025 at 07:49:51PM +0300, Michael Tokarev wrote: > On 12/16/25 19:15, Salvatore Bonaccorso wrote: > > Hi!
Thanks for the quick reply! > > > There are 2 new upstream stable/bugfix releases in the > > > 7.2.x LTS branch. The number of fixes this time is > > > relatively small, and many of them are to the testsuite, > > > in an attempt to keep tests running. > > > > > > Among other things, this fixes two security issues: > > > #1119917, CVE-2025-12464 (buffer overflow in e1000_receive_iov) > > > #1117153, CVE-2025-11234 (UAF in websocket handshake code) > > > > Just a question for proper tracking, shouldn't we consider the > > CVE-2025-12464 issue only beeing introduced with 8.1.0 according to > > the commit > > https://lore.kernel.org/qemu-devel/[email protected]/T/#u > > https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d78089e9e585faaeb19afccff2050abf > > ? > > This is a very good question indeed. It looks like I overlooked this > one for the 7.2.x branch when picking up the changes. The code in > 7.2.x isn't vulnerable to this particular issue. I'll do some more > analysis around the matter, - if it should be reverted entirely. > At the very least, these changes (several of them) didn't break > legitimate usage of e1000 device in 7.2.x, as my tests shows. Ack, so for updating the tracking information we hold back and see if this is correct not to affect v7.2.22 or not or if it is still legitimate to pick the change (but e.g. not consider if to fix the CVE or otoh if we need to reevaluate where the issue is introduced). Regards, Salvatore
