Your message dated Mon, 25 Aug 2025 00:02:25 +0000
with message-id <[email protected]>
and subject line Bug#1109989: fixed in qemu 1:10.0.2+ds-2+deb13u1
has caused the Debian Bug report #1109989,
regarding qemu: CVE-2025-54566 CVE-2025-54567
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109989
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:10.0.2+ds-2
Severity: important
Tags: security upstream
Forwarded:
https://lore.kernel.org/qemu-devel/[email protected]/
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for qemu.
CVE-2025-54566[0]:
| hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state
| inconsistency, a related issue to CVE-2024-26327.
CVE-2025-54567[1]:
| hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable
| bit write mask, a related issue to CVE-2024-26327.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54566
https://www.cve.org/CVERecord?id=CVE-2025-54566
[1] https://security-tracker.debian.org/tracker/CVE-2025-54567
https://www.cve.org/CVERecord?id=CVE-2025-54567
[2]
https://lore.kernel.org/qemu-devel/[email protected]/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:10.0.2+ds-2+deb13u1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Aug 2025 12:54:40 +0300
Source: qemu
Architecture: source
Version: 1:10.0.2+ds-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1109989
Changes:
qemu (1:10.0.2+ds-2+deb13u1) trixie-security; urgency=medium
.
* d/binfmt-install: stop using C (Credentials) flag for binfmt_misc
registration. qemu-user binaries were never meant to be used in
suid/sgid scenarios, but was used in debian since late 2009. Any
foreign suid/sgid binary accessible to the users, in presence of
qemu-user binfmt, is trivially exploitable to gain elevated privileges.
This change might break existing setups since for many years people
relied on qemu-user binfmt working with suid binaries, but this is
a situation where it is definitely better be safe than sorry.
* pcie_sriov-Fix-configuration-and-state-synchronizati.patch
(Closes: #1109989, CVE-2025-54566, CVE-2025-54567)
Checksums-Sha1:
0fb120292fc6c74a4c2035bea94bd5b1992b8d12 12455 qemu_10.0.2+ds-2+deb13u1.dsc
0da721835b445ce31e3d69631ac878ebe218a6af 39449628 qemu_10.0.2+ds.orig.tar.xz
759580a21004aea649a42789c1a2de75cfd80a0a 139060
qemu_10.0.2+ds-2+deb13u1.debian.tar.xz
3ff3c108eaa1155c243ed73014836e75bb520694 7565
qemu_10.0.2+ds-2+deb13u1_source.buildinfo
Checksums-Sha256:
b61a67c1b580435742e42613fa8d4d38f9abaa75fc9c034f7e650e62ed97720a 12455
qemu_10.0.2+ds-2+deb13u1.dsc
0901da33844a331bf8b3602b9c1fbd178e60b737c8e3ade678255bd090c9b9f1 39449628
qemu_10.0.2+ds.orig.tar.xz
7d77c31eaff3ce9ef265a9dbba0b5b05508003aad9a8d41cc7999063b671dd8f 139060
qemu_10.0.2+ds-2+deb13u1.debian.tar.xz
87d0ee897cce710d82f3077bea4cac389f354f83ed2e06385fcd2341f37af508 7565
qemu_10.0.2+ds-2+deb13u1_source.buildinfo
Files:
5891b15bfd0c8293134c785ae71bc44e 12455 otherosfs optional
qemu_10.0.2+ds-2+deb13u1.dsc
ab6f1a263053221b049421b31f683047 39449628 otherosfs optional
qemu_10.0.2+ds.orig.tar.xz
9845432790844d8e7a3c1f3ae7e81c9f 139060 otherosfs optional
qemu_10.0.2+ds-2+deb13u1.debian.tar.xz
2266abbc4d5d97c2f288183f35847a9a 7565 otherosfs optional
qemu_10.0.2+ds-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmifmcYACgkQgqpKJDse
lHg8WA/+JKNjfF6w5YN6nwUh5BTu6TcwWsCVebE58P50nb6acBiqMlFThTke+rH3
4PlDpgyv1fNFho2k0981aV3onvEJ8QuV3ZZEF0DxGW78CAJatHlOaDT/Xm3zde61
kD8kbvzn2hFz9OfSS+LG2QjADvqql8jOCOi9zmrTpppjuOowijCw5lzLG4NwOIQb
JXROzMuRhNVTy9RDL3nySvUli/JhofL4MBsDvor/GbShZOg5Z/wcsNTowi8e79Lg
Q+WZM9Zc8uXRgJ0HahDuVtTGTCpwbUTevhC5sCd1BRAfgDSmFjNcdJNnc+j/3iDw
oEypSzQ74G4qce9lrmAq9JQf0GlE5y0TsG9DCbsCj2dVsHizwT7mnfs2ER2pBdc1
wKgxBISEW0kvfZkoAXJ7zVazAdoCFCK60oYd8VlWTBvB8hWTKdOQrQvyg2yfdEa4
31D6PEGF8VoSa2EmC5arVysHkJ/OkzYtuXgqIF3JqVHWA/JAjo3HBpDCWWsgsZCj
K5rezyl+rUe4QSEreJfugJ73n7AxlIWufZ1wbUnfGfeDWHq7B1cuVIDtWffbfLez
2hkcc4Olw0+rUXwN5xMUlpIIR2PHU7YrRdvxpmosD8m2EmBYL70Kkd1p1D7NP7Hf
6Tthiibka6qaZNjEWsx7xCV21n8PPF+EYFJupvNOSV6DcPhYzNM=
=C28a
-----END PGP SIGNATURE-----
pgpQr1VB_v4i8.pgp
Description: PGP signature
--- End Message ---
