Source: qemu
Version: 1:10.0.2+ds-2
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:5.2+dfsg-11+deb11u4
Control: found -1 1:5.2+dfsg-11
Control: found -1 1:7.2+dfsg-7+deb12u13
Control: found -1 1:7.2+dfsg-7
Control: found -1 1:10.0.2+ds-2
Control: found -1 1:10.0.2+ds-1
Control: fixed -1 1:7.2+dfsg-7+deb12u15
Control: fixed -1 1:10.0.2+ds-2+deb13u1
Control: fixed -1 1:10.0.3+ds-3
Make a tracking bug for easier reference for the issue fixed in DSA
5983-1:
* d/binfmt-install: stop using C (Credentials) flag for binfmt_misc
registration. This means suid and sgid binaries under qemu-user
will work without changing credentials. This is a serious security
issue, since qemu-user never supposed to be used in this way, and
it is trivial to get elevated privileges for an attacker if there's
any suid/sgid binary under qemu-user which is runnable for an
attacker. This change might break CI/testing environment expectations.
https://lists.debian.org/debian-security-announce/2025/msg00147.html
Regards,
Salvatore
