Your message dated Sat, 6 Jul 2024 00:23:36 +0300 with message-id <85f6d51a-8c62-46ce-b38b-7ec5d4409...@tls.msk.ru> and subject line Re: Bug#1075824: qemu: CVE-2024-4467 has caused the Debian Bug report #1075824, regarding qemu: CVE-2024-4467 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1075824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075824 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Version: 1:8.2.5+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for qemu. CVE-2024-4467[0]: | A flaw was found in the QEMU disk image utility (qemu-img) 'info' | command. A specially crafted image file containing a `json:{}` value | describing block devices in QMP could cause the qemu-img process on | the host to consume large amounts of memory or CPU time, leading to | denial of service or read/write to an existing external file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4467 https://www.cve.org/CVERecord?id=CVE-2024-4467 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2278875 [2] https://gitlab.com/qemu-project/qemu/-/commit/bd385a5298d7062668e804d73944d52aec9549f1 https://gitlab.com/qemu-project/qemu/-/commit/2eb42a728d27a43fdcad5f37d3f65706ce6deba5 https://gitlab.com/qemu-project/qemu/-/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6 https://gitlab.com/qemu-project/qemu/-/commit/7ead946998610657d38d1a505d5f25300d4ca613 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Version: 1:9.0.1+ds-1 05.07.2024 23:41, Salvatore Bonaccorso wrote:Source: qemu Version: 1:8.2.5+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for qemu. CVE-2024-4467[0]: | A flaw was found in the QEMU disk image utility (qemu-img) 'info' | command. A specially crafted image file containing a `json:{}` value | describing block devices in QMP could cause the qemu-img process on | the host to consume large amounts of memory or CPU time, leading to | denial of service or read/write to an existing external file.This is fixed by qemu uploaded earlier today. Patches are already prepared for bookworm (for qemu 7.2.x series) and already verified upstream and passed the tests. Thanks, /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
--- End Message ---
