Hi, On Fri, Jul 05, 2024 at 09:27:03PM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:qemu package: > > #1075824: qemu: CVE-2024-4467 > > It has been closed by Michael Tokarev <m...@tls.msk.ru>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Michael Tokarev > <m...@tls.msk.ru> by > replying to this email. > > > -- > 1075824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075824 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems
> From: Michael Tokarev <m...@tls.msk.ru> > User-Agent: Mozilla Thunderbird > Date: Sat, 6 Jul 2024 00:23:36 +0300 > To: 1075824-d...@bugs.debian.org > Subject: Re: Bug#1075824: qemu: CVE-2024-4467 > Message-ID: <85f6d51a-8c62-46ce-b38b-7ec5d4409...@tls.msk.ru> > > Version: 1:9.0.1+ds-1 > > 05.07.2024 23:41, Salvatore Bonaccorso wrote: > > Source: qemu > > Version: 1:8.2.5+ds-2 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for qemu. > > > > CVE-2024-4467[0]: > > | A flaw was found in the QEMU disk image utility (qemu-img) 'info' > > | command. A specially crafted image file containing a `json:{}` value > > | describing block devices in QMP could cause the qemu-img process on > > | the host to consume large amounts of memory or CPU time, leading to > > | denial of service or read/write to an existing external file. > > This is fixed by qemu uploaded earlier today. > > Patches are already prepared for bookworm (for qemu 7.2.x series) and > already verified upstream and passed the tests. Yes thanks, had only the 1:8.2.5+ds-2 initially to check. Updated the security-tracker accordingly now. Regards, Salvatore