On 12/16/25 20:00, Salvatore Bonaccorso wrote:
Hi Michael,
On Tue, Dec 16, 2025 at 07:49:51PM +0300, Michael Tokarev wrote:
On 12/16/25 19:15, Salvatore Bonaccorso wrote:
Hi!
Thanks for the quick reply!
There are 2 new upstream stable/bugfix releases in the
7.2.x LTS branch. The number of fixes this time is
relatively small, and many of them are to the testsuite,
in an attempt to keep tests running.
Among other things, this fixes two security issues:
#1119917, CVE-2025-12464 (buffer overflow in e1000_receive_iov)
#1117153, CVE-2025-11234 (UAF in websocket handshake code)
Just a question for proper tracking, shouldn't we consider the
CVE-2025-12464 issue only beeing introduced with 8.1.0 according to
the commit
https://lore.kernel.org/qemu-devel/[email protected]/T/#u
https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d78089e9e585faaeb19afccff2050abf
?
This is a very good question indeed. It looks like I overlooked this
one for the 7.2.x branch when picking up the changes. The code in
7.2.x isn't vulnerable to this particular issue. I'll do some more
analysis around the matter, - if it should be reverted entirely.
At the very least, these changes (several of them) didn't break
legitimate usage of e1000 device in 7.2.x, as my tests shows.
Ack, so for updating the tracking information we hold back and see if
this is correct not to affect v7.2.22 or not or if it is still
legitimate to pick the change (but e.g. not consider if to fix the CVE
or otoh if we need to reevaluate where the issue is introduced).
So, yes, it was my mistake to include the fix for CVE-2025-12464
in 7.2.x branch - the fix doesn't do any good there, because the
issue doesn't exist in 7.2.x to begin with. It doesn't do any bad
either.
I'll remove the "Closes:" tag from the debian/changelog entry for
this (pending) upload. The rest of it stays.
BTW, 7.2.22 is expected to be the last upstream release in 7.2.x
series, - unless there's something really important to be fixed,
found. I forgot to mention this in this bug report initially.
Thanks,
/mjt
