Hello there, (Please CC me since I am not subscribed to the QEMU devel list.)
I am working on backporting some CVE fixes to old Debian versions (bullseye and previous), and I would like to ask you some help to confirm if QEMU in those debian releases is affected by CVE-2024-3446 or not. This is QEMU 5.2, 3.1 and 2.8. On the 7.2 branch, the following four commits are required to fix CVE-2024-3446: https://gitlab.com/qemu-project/qemu/-/commit/e070e5e6748e3217028fa21aa30bb51f862368c8 https://gitlab.com/qemu-project/qemu/-/commit/6d37a308159766cb90ed745cfeb1880937b638ec https://gitlab.com/qemu-project/qemu/-/commit/e7c2df3fd748a20a8b7a316d186b3ac77551f159 https://gitlab.com/qemu-project/qemu/-/commit/7aaf5f7778de4d75a169ab193f08857eb28db3a4 AFAICS, the qemu_bh_new calls were replaced with qemu_bh_new_guarded in 7.2.6. Please note that 6d37a308159766cb90ed745cfeb1880937b638ec (and ba28e0ff4d95b56dc334aac2730ab3651ffc3132) include this bug as reference: https://bugs.launchpad.net/qemu/+bug/1888606. Could you please confirm the CVE relates to the same issue? I am unable to reproduce the issue. I've tried the reproducer found at 6d37a308 and the one from the ubuntu referenced bug. However comment #5 in the ubuntu bug mentions it was reproducible with QEMU 5.0, so I am confused. To summarise: it OK to affirm QEMU 5.x and older is unaffected by CVE-2024-3446? Thanks in advance, and happy new year! -- Santiago
signature.asc
Description: PGP signature
