[ubuntu/noble-security] qemu 1:8.2.2+ds-0ubuntu1.10 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Sep 11 12:15:19 UTC 2025 

qemu (1:8.2.2+ds-0ubuntu1.10) noble-security; urgency=medium

  * SECURITY UPDATE: double-free in QEMU virtio devices
    - debian/patches/CVE-2024-3446-pre1.patch: introduce
      virtio_bh_new_guarded() helper in hw/virtio/virtio.c,
      include/hw/virtio/virtio.h.
    - debian/patches/CVE-2024-3446-1.patch: protect from DMA re-entrancy
      bugs in hw/virtio/virtio-crypto.c.
    - debian/patches/CVE-2024-3446-2.patch: protect from DMA re-entrancy
      bugs in hw/char/virtio-serial-bus.c.
    - debian/patches/CVE-2024-3446-3.patch: protect from DMA re-entrancy
      bugs in hw/display/virtio-gpu.c.
    - CVE-2024-3446
  * SECURITY UPDATE: heap overflow in SDHCI device emulation
    - debian/patches/CVE-2024-3447.patch: do not update TRNMOD when Command
      Inhibit (DAT) is set in hw/sd/sdhci.c.
    - CVE-2024-3447
  * SECURITY UPDATE: assert failure in checksum calculation
    - debian/patches/CVE-2024-3567.patch: fix overrun in
      update_sctp_checksum() in hw/net/net_tx_pkt.c.
    - CVE-2024-3567
  * SECURITY UPDATE: resource consumption in disk utility
    - debian/patches/CVE-2024-4467-1.patch: don't open data_file with
      BDRV_O_NO_IO in block/qcow2.c, tests/qemu-iotests/061*.
    - debian/patches/CVE-2024-4467-2.patch: don't store data-file with
      protocol in image in tests/qemu-iotests/244.
    - debian/patches/CVE-2024-4467-3.patch: don't store data-file with
      json: prefix in image in tests/qemu-iotests/270.
    - debian/patches/CVE-2024-4467-4.patch: parse filenames only when
      explicitly requested in block.c.
    - CVE-2024-4467
  * SECURITY UPDATE: heap overflow in virtio-net device RSS feature
    - debian/patches/CVE-2024-6505.patch: ensure queue index fits with RSS
      in hw/net/virtio-net.c.
    - CVE-2024-6505
  * SECURITY UPDATE: Dos via improper synchronization during socket closure
    - debian/patches/CVE-2024-7409-1.patch: plumb in new args to
      nbd_client_add() in blockdev-nbd.c, include/block/nbd.h,
      nbd/server.c, qemu-nbd.c.
    - debian/patches/CVE-2024-7409-2.patch: cap default max-connections to
      100 in block/monitor/block-hmp-cmds.c, blockdev-nbd.c,
      include/block/nbd.h, qapi/block-export.json.
    - debian/patches/CVE-2024-7409-3.patch: close stray clients at
      server-stop in blockdev-nbd.c.
    - debian/patches/CVE-2024-7409-4.patch: drop non-negotiating clients in
      nbd/server.c, nbd/trace-events.
    - debian/patches/CVE-2024-7409-5.patch: avoid use-after-free when
      closing server in blockdev-nbd.c.
    - CVE-2024-7409
  * SECURITY UPDATE: DoS via assert failure in usb_ep_get()
    - debian/patches/CVE-2024-8354.patch: change ohci validation in
      hw/usb/hcd-ohci.c, hw/usb/trace-events.
    - CVE-2024-8354
  * SECURITY UPDATE: possibly binfmt privilege escalation (LP: #2120814)
    - debian/binfmt-install: stop using C (Credentials) flag for
      binfmt_misc registration.

qemu (1:8.2.2+ds-0ubuntu1.9) noble; urgency=medium

  * d/p/u/lp-2101053-pci-acpi-Windows-PCI-Label-Id-bug-workaround.patch:
    fix windows virtio network by tolerarting a bad acpi call (LP: #2101053)

qemu (1:8.2.2+ds-0ubuntu1.8) noble; urgency=medium

  * d/p/u/lp2101944/*: Synthesize IBPB_BRTYPE and SBPB CPUID bits to the guest
    as described in AMD's Speculative Return Stack Overflow whitepaper.
    (LP: #2101944)

qemu (1:8.2.2+ds-0ubuntu1.7) noble; urgency=medium

  * d/p/u/lp2049698/*: Add full boot order support on s390x (LP: #2049698)
  * Cherry-pick prerequisite for above backport (to avoid FTBFS):
    - d/p/u/lp2049698/0-hw-s390x-sclp.c-include-s390-virtio-ccw.h-to-make.patch
  * d/qemu-system-data.links: symlink s390-netboot.img -> s390-ccw.img for
    backwards compatibility, as the code is now combined.

  [ Michael Tokarev ]
  * d/rules: run ./configure in arch-indep build and build some roms from there.
    After adding just a few more build-deps to common Build-Depends,
    it is now possible to run ./configure in arch-indep step too.
    Run ./configure, and switch s390-ccw and vof.bin builds from
    ad-hoc instructions to using the regular qemu makefiles.
    Move python3-venv dependency from Build-Depend-Arch to Build-Depend
    so that ./configure can be run.
    [cherry-pick https://salsa.debian.org/qemu-team/qemu/-/commit/5b5a97b]

  * Fix qemu-aarch64-static segfaults running ldconfig.real (LP: #2072564)
    - lp-2072564-01-linux-user-Honor-elf-alignment-when-placing-images.patch
    - lp-2072564-02-elfload-Fix-alignment-when-unmapping-excess-reservat.patch
    Thanks to Dimitry Andric for identifying the fix.

qemu (1:8.2.2+ds-0ubuntu1.6) noble; urgency=medium

  [ Gabriel B. Sant'Anna ]
  * Fix emulation of RISC-V Vector instructions (LP: #2095169)
    - d/p/u/lp2095169-riscv-vector-fixes-{01..12}.patch: ensure vstart_eq_zero
      is updated at the end of each vector instruction.
    - Changes come from upstream, but backporting to 8.2.2 required some
      adjustment before patches could be applied cleanly.
    - Thanks to Daniel Henrique Barboza <dbarboza at ventanamicro.com>

qemu (1:8.2.2+ds-0ubuntu1.5) noble; urgency=medium

  * d/p/u/lp-2091099-fix-9p-regression-cve-2023-2861.patch: Fix
    regression regarding CVE-2023-2861 affecting 9p filesystems.
    (LP: #2091099)

Date: 2025-08-26 12:10:28.330820+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/qemu/1:8.2.2+ds-0ubuntu1.10
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list