The update has been prepared and uploaded to our esm-infra security staging PPA. Unfortunately the riscv64 build did not complete until today, and our policy on the security engineering team is to not release updates on Friday unless absolutely necessary, and given the context I have received that this is not blocking for the customer that reported it, we would like to proceed with releasing this update early Monday. Please let me know if there is urgency to get this update out and I can make an exception to get this out today.
As for some context into the regression, focal's source is structurally different compared to jammy and onward, which made certain patches (pre1) completely fail to apply. I *attempted* to incorporate the necessary logic into CVE-2024-4467-1.patch by including `& BDRV_O_NO_IO` guards in appropriate locations, however I missed 1/3 necessary locations for this guard, introducing the regression. Fortunately this report included a straightforward reproduction outline and I confirmed the issue on the current +esm2 version of QEMU. After introducing the guard and rebuilding as +esm3 and executing the same testing strategy, I no longer can reproduce the behaviour described in this bug and instead get the correct behaviour observed in jammy. While I also prepared update for trusty-bionic, fortunately those source trees were even older and did not contain the vulnerable code at all, making the application of CVE-2024-4467 not needed, hence why this only affects focal. I apologize for the inconvenience and greatly appreciate the bug report! ** CVE added: https://cve.org/CVERecord?id=CVE-2024-4467 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158180 Title: ESM Regression: `qemu-img info` fails with `1:4.2-3ubuntu6.30+esm2` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-pro/+bug/2158180/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
