Control: severity -1 wishlist Control: tag -1 + upstream confirmed
On 02.05.2025 10:54, Jacob Lifshay wrote:
Source: qemu Version: 1:7.2+dfsg-7+deb12u12 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: programmerj...@gmail.com, Debian Security Team <t...@security.debian.org> Dear Maintainer, I found a timing side-channel while reading through the source of crypto/aes.c I initially reported a security issue to upstream, they told me that since it's only used by TCG and TCG is not considered secure, they don't consider it a security issue. I then reported the security issue to debian, I was told to create an upstream bug and a matching debian bug. https://gitlab.com/qemu-project/qemu/-/issues/2946
... I don't see the reason for this bug report either. TCG is not used for for any security-sensitive processing. If you need to run a real guest, you should use kvm instead (and run your guest on a native processor), and there, hardware implementation of AES is used. Yes, in TCG mode, we've a timing "issue", and it'd be nice if it had no security implications, but it's definitely of a very low priority. Thanks, /mjt
