Your message dated Thu, 15 Dec 2022 14:44:18 +0000
with message-id <[email protected]>
and subject line Bug#1025123: fixed in qemu 1:7.2+dfsg-1
has caused the Debian Bug report #1025123,
regarding qemu: CVE-2022-4172: erst: undefined-behavior in memcpy in
write_erst_record
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1025123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025123
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:7.1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/qemu-project/qemu/-/issues/1268
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qemu.
CVE-2022-4172[0]:
| An integer overflow and buffer overflow issues were found in the ACPI
| Error Record Serialization Table (ERST) device of QEMU in the
| read_erst_record() and write_erst_record() functions. Both issues may
| allow the guest to overrun the host buffer allocated for the ERST
| memory device. A malicious guest could use these flaws to crash the
| QEMU process on the host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-4172
https://www.cve.org/CVERecord?id=CVE-2022-4172
[1] https://gitlab.com/qemu-project/qemu/-/issues/1268
[2]
https://gitlab.com/qemu-project/qemu/-/commit/defb70980f6bed36100b74e84220f1764c0dd544
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:7.2+dfsg-1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Dec 2022 17:17:28 +0300
Source: qemu
Architecture: source
Version: 1:7.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1011003 1018254 1021019 1021981 1025123
Changes:
qemu (1:7.2+dfsg-1) unstable; urgency=medium
.
* new upstream release
Closes: #1025123 CVE-2022-4172
(erst: undefined behavior in memcpy in write_erst_record)
Closes: #1021981 qemu-user: faccessat2 is not implemented
Closes: #1021019 CVE-2022-3165 (VNC: integer underflow in
vnc_client_cut_text_ext leads to CPU exhaustion)
* remove patches applied upstream
* refresh note-missing-module-pkg-name.diff
* slirp is always external package now, not a submodule anymore
* d/control: require meson >> 0.61.5~ for build
* spelling.diff: update with more spelling error
* add some lintian-overrides
* fix minor spelling errors in patches
* d/control: Bump Standards-Version to 4.6.1
* debian shell programs use "which" instead of the "command -v",
fix that (Closes: #1018254)
* Better fix for #1019011 (gcc ICE building palcode-clipper), use -O1
instead of -O2 for the failing compile when it actually fails
(no need to depend on gcc-11, Closes: #1011003)
Checksums-Sha1:
a81c80c59a38517edf91e08a440eca05738b4d60 6450 qemu_7.2+dfsg-1.dsc
6ea9655c72a2f21ed0d301479e11194c84978514 23523172 qemu_7.2+dfsg.orig.tar.xz
4aaf49ee0d98359c1a17970d17c71f7f521bbf3e 101680 qemu_7.2+dfsg-1.debian.tar.xz
7ff0503ca1d860f9fd4f3a9813ed9e1a37798099 10956 qemu_7.2+dfsg-1_source.buildinfo
Checksums-Sha256:
31040a83f99772584bb93efcf326aaa60481d018d3c635cbefb30f2c6227e5ad 6450
qemu_7.2+dfsg-1.dsc
91aca71520040edc40b8d437aa3004dae614f58e286cf653ee8996c07af2962f 23523172
qemu_7.2+dfsg.orig.tar.xz
8d950d3b456325614a36dd2b40d75631a5934b63428a1a8d2cb3188aef8ea11e 101680
qemu_7.2+dfsg-1.debian.tar.xz
87a7f6e3737da28dbd4e42fafdc89306883ac77a7eef21947cf6ab140c62602f 10956
qemu_7.2+dfsg-1_source.buildinfo
Files:
eb0a6035b15dd5e77c434d9f25e8c8a1 6450 otherosfs optional qemu_7.2+dfsg-1.dsc
865ae004abc45245029b6812734365c8 23523172 otherosfs optional
qemu_7.2+dfsg.orig.tar.xz
aaed64635a3f790a25eb82cb85e40bc3 101680 otherosfs optional
qemu_7.2+dfsg-1.debian.tar.xz
3ab052996ed8fd75aefdf9f26aeb7440 10956 otherosfs optional
qemu_7.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmObLVAPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZF4IH/1uK5G/Yej3OMC2L0vnpduMHPZO46qvWLlej
RkoVL7X85sorxedFUQCBv/FhCsybdZjtF055OKwmpc8UcTwuWNWrj/wZ5nZuAMpI
TIjRetd/t38dbxjEk1+iBIfnYZ6JLeNtNYW2qxtdn1OsVjX3It0jF8RgEMImFzyc
3Cxq243fmFGufBHowAOZ3qAvakCdQb+8naOaB2xZkTROy75m2cO3SQ89ZZVubWYF
iE5sIFFGlflrhb+434O6JI4fNfITMoK/8wn2+Lt60Oy5K6tYmjGZGmwndKefrZYo
ZXFO6HU5iPL3VkrQn6U/Dhu8yrOACPwLZeY5vu34eHVerFjhWdI=
=pEqp
-----END PGP SIGNATURE-----
--- End Message ---
