Your message dated Wed, 21 Aug 2024 21:47:11 +0000 with message-id <e1sgtad-00dgbs...@fasolo.debian.org> and subject line Bug#1075824: fixed in qemu 1:7.2+dfsg-7+deb12u7 has caused the Debian Bug report #1075824, regarding qemu: CVE-2024-4467 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1075824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075824 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Version: 1:8.2.5+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for qemu. CVE-2024-4467[0]: | A flaw was found in the QEMU disk image utility (qemu-img) 'info' | command. A specially crafted image file containing a `json:{}` value | describing block devices in QMP could cause the qemu-img process on | the host to consume large amounts of memory or CPU time, leading to | denial of service or read/write to an existing external file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4467 https://www.cve.org/CVERecord?id=CVE-2024-4467 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2278875 [2] https://gitlab.com/qemu-project/qemu/-/commit/bd385a5298d7062668e804d73944d52aec9549f1 https://gitlab.com/qemu-project/qemu/-/commit/2eb42a728d27a43fdcad5f37d3f65706ce6deba5 https://gitlab.com/qemu-project/qemu/-/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6 https://gitlab.com/qemu-project/qemu/-/commit/7ead946998610657d38d1a505d5f25300d4ca613 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qemu Source-Version: 1:7.2+dfsg-7+deb12u7 Done: Michael Tokarev <m...@tls.msk.ru> We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1075...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 Jul 2024 14:27:14 +0300 Source: qemu Architecture: source Version: 1:7.2+dfsg-7+deb12u7 Distribution: bookworm Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Closes: 1075824 Changes: qemu (1:7.2+dfsg-7+deb12u7) bookworm; urgency=medium . * update to upstream 7.2.13 stable/bugfix release, v7.2.13.diff, https://gitlab.com/qemu-project/qemu/-/commits/v7.2.13 : - Update version for 7.2.13 release - char-stdio: Restore blocking mode of stdout on exit - virtio: remove virtio_tswap16s() call in vring_packed_event_read() - block: Parse filenames only when explicitly requested - iotests/270: Don't store data-file with json: prefix in image - iotests/244: Don't store data-file with protocol in image - qcow2: Don't open data_file with BDRV_O_NO_IO (Closes: #1075824, CVE-2024-4467) - target/arm: Fix VCMLA Dd, Dn, Dm[idx] - i386/cpu: fixup number of addressable IDs for processor cores in the physical package - gitlab-ci: Disable the riscv64-debian-cross-container by default - tests: don't run benchmarks for the tsan build - tests: Update our CI to use CentOS Stream 9 instead of 8 - ci, docker: update CentOS and OpenSUSE Python to non-EOL versions - Update lcitool and fedora to 37 - gitlab-ci.d/buildtest: Merge the --without-default-* jobs - tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers - linux-user: Make TARGET_NR_setgroups affect only the current thread - stdvga: fix screen blanking - virtio-net: drop too short packets early - target/i386: fix size of EBP writeback in gen_enter() * update to upstream 7.2.12 stable/bugfix release, v7.2.12.diff, https://gitlab.com/qemu-project/qemu/-/commits/v7.2.12 : - Update version for 7.2.12 release - target/loongarch: fix a wrong print in cpu dump - ui/sdl2: Allow host to power down screen - target/i386: fix SSE and SSE2 feature check - target/i386: fix xsave.flat from kvm-unit-tests - disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs - hw/intc/riscv_aplic: APLICs should add child earlier than realize - target/arm: Disable SVE extensions when SVE is disabled - hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> - hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers - gitlab: Update msys2-64bit runner tags - target/i386: no single-step exception after MOV or POP SS - target/i386: disable jmp_opt if EFLAGS.RF is 1 - target-i386: hyper-v: Correct kvm_hv_handle_exit return value - ui/gtk: Check if fence_fd is equal to or greater than 0 - ui/gtk: Fix mouse/motion event scaling issue with GTK display backend - target/i386: rdpkru/wrpkru are no-prefix instructions - target/i386: fix operand size for DATA16 REX.W POPCNT - hw/remote/vfio-user: Fix config space access byte order - target/i386: Give IRQs a chance when resetting HF_INHIBIT_IRQ_MASK - hw/arm/npcm7xx: Store derivative OTP fuse key in little endian - hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields - .gitlab-ci.d/cirrus.yml: Shorten the runtime of the macOS and FreeBSD jobs - tests/avocado: update sunxi kernel from armbian to 6.6.16 - backends/cryptodev-builtin: Fix local_error leaks - nbd/server: Mark negotiation functions as coroutine_fn - nbd/server: do not poll within a coroutine context - linux-user: do_setsockopt: fix SOL_ALG.ALG_SET_KEY - gitlab/opensbi: Move to docker:stable - gitlab-ci: Remove job building EDK2 firmware binaries Checksums-Sha1: 673222b4caff3829004d774ce8cb7cdc1d12373c 6482 qemu_7.2+dfsg-7+deb12u7.dsc d5a7a10bdefbbd5c6478c9bacfe376e37f84cfdf 314672 qemu_7.2+dfsg-7+deb12u7.debian.tar.xz 186c3c6e20f8e834167807d68f27fe3690213ee8 19726 qemu_7.2+dfsg-7+deb12u7_source.buildinfo Checksums-Sha256: cd811bfd6bb4c3f4dd92398c9dabd9951d7be6ee595009cbb8bf0d6f34767b6b 6482 qemu_7.2+dfsg-7+deb12u7.dsc 4dccde94856552dcd4af70521a0506d2e3dfaeacf0bc8f998c7ccb61ef099464 314672 qemu_7.2+dfsg-7+deb12u7.debian.tar.xz 9b6232bc38880bbb948182ddad6eaa1eb827fb6d2dc058b202dd86d5cbb1db3f 19726 qemu_7.2+dfsg-7+deb12u7_source.buildinfo Files: ccc238317fba4a835ea26bce399a0c40 6482 otherosfs optional qemu_7.2+dfsg-7+deb12u7.dsc 55bd0ae04b5a5ef5040dd86aa291d8d4 314672 otherosfs optional qemu_7.2+dfsg-7+deb12u7.debian.tar.xz 5d728bcd76fef228f0eceac73d10c8ea 19726 otherosfs optional qemu_7.2+dfsg-7+deb12u7_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmbBCMAPHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5Z/gQH/iYQ1UTtqyQhqil9PrMLgjrWEVwerr57kYaS pHiBwzOjgF5zX6C3FYBuru5sjOJ4g4wlHpBHeNtNtYHyUqQYhhi0wwnuYqCnqi7Q MdwVV+auWxTDb9tdWa+Vg+FHNpYnI4LjphzTVMAEvrdqfETsDtl+AthJJ+dj109C iABPkBfpSZsPI+lL/AeRlhp3+MwYlRmGh9C7FCKgnc/TDxg7P0fMi2Ivr6CBnEeK kyD/FdnQsRLUCbuBQuBsYuyuvEPIZQz+jDYIw5YUAj/m5HAZg83EgLSsvaXi7NE+ Eugmca5YMWUhvEff3vJPqsHYir5Qm/PltuCm8UvMK+bksrYt+9I= =yV+S -----END PGP SIGNATURE-----
pgpUyHMDJQxpd.pgp
Description: PGP signature
--- End Message ---
