Hi,
On Fri, Jul 05, 2024 at 09:27:03PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:qemu package:
>
> #1075824: qemu: CVE-2024-4467
>
> It has been closed by Michael Tokarev <m...@tls.msk.ru>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Michael Tokarev
> <m...@tls.msk.ru> by
> replying to this email.
>
>
> --
> 1075824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075824
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> From: Michael Tokarev <m...@tls.msk.ru>
> User-Agent: Mozilla Thunderbird
> Date: Sat, 6 Jul 2024 00:23:36 +0300
> To: 1075824-d...@bugs.debian.org
> Subject: Re: Bug#1075824: qemu: CVE-2024-4467
> Message-ID: <85f6d51a-8c62-46ce-b38b-7ec5d4409...@tls.msk.ru>
>
> Version: 1:9.0.1+ds-1
>
> 05.07.2024 23:41, Salvatore Bonaccorso wrote:
> > Source: qemu
> > Version: 1:8.2.5+ds-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team
> > <t...@security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for qemu.
> >
> > CVE-2024-4467[0]:
> > | A flaw was found in the QEMU disk image utility (qemu-img) 'info'
> > | command. A specially crafted image file containing a `json:{}` value
> > | describing block devices in QMP could cause the qemu-img process on
> > | the host to consume large amounts of memory or CPU time, leading to
> > | denial of service or read/write to an existing external file.
>
> This is fixed by qemu uploaded earlier today.
>
> Patches are already prepared for bookworm (for qemu 7.2.x series) and
> already verified upstream and passed the tests.
Yes thanks, had only the 1:8.2.5+ds-2 initially to check.
Updated the security-tracker accordingly now.
Regards,
Salvatore
