Your message dated Mon, 19 May 2025 21:04:48 +0200
with message-id <[email protected]>
and subject line Re: Bug#1104934: virglrenderer: CVE-2025-2509
has caused the Debian Bug report #1104934,
regarding virglrenderer: CVE-2025-2509
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1104934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104934
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: virglrenderer
Version: 1.1.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for virglrenderer.

CVE-2025-2509[0]:
| Out-of-Bounds Read in Virglrenderer in ChromeOS  16093.57.0 allows a
| malicious guest VM to achieve arbitrary address access within the
| crosvm sandboxed process, potentially leading to  VM escape via
| crafted vertex elements data triggering an out-of-bounds read in
| util_format_description.

Unfortunately we have not really much information here, and the
chromium issuetracker issues are not accessible.

It *mgiht* be ChromeOS specific, but this needs to be assessed, can
you reach out to upstream?


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-2509
    https://www.cve.org/CVERecord?id=CVE-2025-2509

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Hi Sylvain,

On Mon, May 19, 2025 at 05:42:40PM +0200, Sylvain Beucler wrote:
> Hi,
> 
> On Thu, 08 May 2025 21:43:59 +0200 Salvatore Bonaccorso <[email protected]>
> wrote:
> > Unfortunately we have not really much information here, and the
> > chromium issuetracker issues are not accessible.
> 
> One of the links is now public :)
> https://issuetracker.google.com/issues/385851796

Perfect, this was indeed not the case back when filling the bug. This
makes no Debian version affected then, since we have no version
introducing the issue, will update the tracker in a minute.

Regards,
Salvatore

--- End Message ---

Reply via email to