-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Jun 2026 09:28:48 +0300
Source: qemu
Architecture: source
Version: 1:10.0.10+ds-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1085299 1128478 1129349 1129604 1129605
Changes:
 qemu (1:10.0.10+ds-0+deb13u1) trixie; urgency=medium
 .
   * 10.0.10 upstream stable/bugfix release:
    - Update version for 10.0.10 release
    - block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock()
    - block: Add more defaults to DEFAULT_BLOCK_CONF
    - block: Create DEFAULT_BLOCK_CONF macro
    - ide-test: Test reset during TRIM
    - ide-test: Factor out wait_dma_completion()
    - ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code
    - ide: Minimal fix for deadlock between TRIM and drain
    - block: Add flags parameter to blk_*_pdiscard()
    - block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE
    - blkdebug: Add 'delay-ns' option
    - linux-user/sh4: Fix setup_sigtramp to match Linux kernel
      trampoline pattern
    - linux-user/sh4: Fix target_ucontext tuc_link field type
    - linux-user: Fix AT_EXECFN in AUXV for symlinked programs
    - hw/nvme: fix admin cq msix setup
    - tests/functional/qemu_test/asset.py: Don't use setxattr
      when it doesn't exist
    - meson.build: Add -fzero-init-padding-bits=all
    - hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
    - aspeed/hace: Prevent total_req_len overflow
    - aspeed/hace: Fix out-of-bounds read in has_padding()
    - hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies
    - hw/display/cirrus_vga: Fix packed-24 color-expansion
      transparent pattern fills
    - hw/ufs: Keep MCQ SQs alive while requests are outstanding
    - hw/ufs: Reject zero-depth MCQ queues
    - hw/ufs: Guard MCQ CQ accesses against missing queues
    - hw/ufs: Validate MCQ SQ references before use
    - hw/uefi: check auth.hdr_length minimum size
      (Closes: CVE-2026-8341)
    - hw/uefi: avoid possibly unaligned variable_auth_2 struct field access
      (Closes: CVE-2026-41440)
    - hw/uefi: verify data size before accessing it in wrap_pkcs7
      (Closes: CVE-2026-41439)
    - hw/uefi: add name_size check to uefi_vars_mm_lock_variable()
      (Closes: CVE-2026-41438)
    - hw/uefi: fix ucs2 string helper functions
      (Closes: CVE-2026-41437)
    - hw/uefi: verify pio_xfer_offset before calculating buffer checksum
      (Closes: CVE-2026-41436)
    - hw/uefi: fix buffer overruns
      (Closes: CVE-2026-41435)
    - hw/misc/bcm2835_rng: Specify valid memory access sizes
    - target/arm: Report IL=0 for Thumb 16-bit BKPT insn
    - target/microblaze: Fix endianness used to disassemble
    - hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7
    - hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled
    - hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node
    - hw/ppc/e500: Move clock and TB frequency to machine class
    - tests/rcutorture: Fix build error
    - hw/intc/xics: Add a check for an invalid server id
    - linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR
    - linux-user: Allow getsockopt() with NULL optval address
    - linux-user: Flush errors by using exit() instead of _exit() in error path
    - linux-user: Add missing CDROM ioctls
    - target/riscv: Use ELEN for Fractional LMUL check
    - target/riscv: Don't OR mip.SEIP when mvien is one
    - target/riscv: Generate access fault if sc comparison fails
    - riscv_htif: reject invalid signature ranges (end <= begin)
    - hw/intc: fix heap OOB in ACLINT MTIMER multi-socket
    - target/riscv: fix stale ptshift and base on page walk restart
    - hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled
    - linux-user: Flush errors by using exit() instead of _exit() in error path
    - linux-user: Use abi_int for imr_ifindex in ip_mreqn struct
    - linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone
    - linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
    - linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
    - linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW
    - linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands
    - linux-user/strace: Use pointer type for read and write values
    - linux-user/arm/nwfpe: Use thread-local storage for qemufpa
    - linux-user/arm/nwfpe: Replace user_registers with current_cpu
    - linux-user: Don't define target_stat64 struct for loongarch64
    - linux-user: fix off-by-one in host_to_target_for_each_rtattr()
    - linux-user/ppc: Fix ppc64 rt_sigframe stack offset
    - hw/sh4/sh7750: Remove forgotten abort() in the MM_ITLB_DATA handler
    - hw/misc: Fix the valid access size to the avr-power device
    - migration: vmstate_save_state_v: fix double error_setg
    - hw/display: don't accidentally autofree existing virgl resources
      (Closes: CVE-2026-6502)
    - meson: add missing semicolon in pthread_condattr_setclock test
    - target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode
    - target/i386: fix missing PF_INSTR in SIGSEGV context
    - target/i386: fix strList leak in x86_cpu_get_unavailable_features
    - target/arm/tcg/translate.c: remove MO_TE usage
    - ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen)
    - ui/spice-app: detect runtime directory creation failures
    - serial COM: windows serial COM PollingFunc don't sleep
    - util/cutils: Fix heap corruption under Windows
    - virtio-blk: fix zone report buffer out-of-memory
      (Closes: CVE-2026-5761)
    - qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config
    - hw/uefi: fix heap overflow
      (Closes: CVE-2026-5744)
    - virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req
      and virtio_scsi_handle_cmd_req_prepare
      (Closes: CVE-2026-5763)
    - util/readline: Fix out-of-bounds access in readline_insert_char()
    - target/arm: fix fault_s1ns for stage 2 faults
    - target/arm: do_ats_write(): avoid assertion when ptw failed
    - bsd-user, linux-user: signal: recursive signal delivery fix
    - linux-user: Make openat2() use -L for absolute paths
    - linux-user: update select timeout writeback
    - linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
    - util: fix missing aio_wait sym in qemu guest agent only build
    - monitor: Fix deadlock in monitor_cleanup
    - scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable
    - ide: Fix potential assertion failure on VM stop for PIO read error
    - ui/vnc-jobs: fix VncRectEntry leak on job cleanup
    - hw/net/rocker: Avoid double-free of l2_flood.group_ids
    - lsi53c895a: keep SCSIRequest alive during DMA
    - lsi53c895a: keep lsi_request alive as long as the SCSIRequest
    - lsi53c895a: keep lsi_request and SCSIRequest in local variables
    - lsi53c895a: do not do anything else if a reset is requested
      by writing ISTAT0
    - lsi53c895a: keep a reference to the device while SCRIPTS execute
      (Closes: #1085299, CVE-2024-6519)
    - scripts/qemu-guest-agent/fsfreeze-hook: Fix syslog-fallback logic
    - scripts/qemu-guest-agent/fsfreeze-hook: Avoid use of PIPESTATUS
    - scripts/qemu-guest-agent/fsfreeze-hook: Avoid bash-isms
    - hw/nvme: fix heap-buffer-overflow in nvme_abort
    - hw/nvme: re-enable wzds bit in namespace dlfeat
    - tcg: Pass host-endian values to plugin_gen_mem_callbacks_*
    - hw/audio/sb16: validate VMState fields in post_load
    - block/curl: free s->password in cleanup paths
    - linux-aio: Resubmit tails of short reads/writes
    - linux-aio: Put all parameters into qemu_laiocb
    - hw/dma/pl080: Fix transfer logic in PL080
    - linux-user/i386/signal.c: Correct definition of target_fpstate_32
    - hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs
      for error handling
    - hw/net/ftgmac100: Improve DMA error handling
    - hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop
      (Closes: CVE-2026-3890)
    - rust: suggest passing --locked to "cargo install"
    - target/riscv: rvv: Fix page probe issues in vext_ldff
    - target/riscv: rvv: Fix missing flags merge in probe_pages
      for cross-page accesses
    - Expand the probe_pages helper function to handle probe flags
    - block: Drop detach_subchain for bdrv_replace_node
    - virtio-gpu: fix overflow check when allocating 2d image
      (Closes: CVE-2026-3886)
    - io: Fix TLS bye task leak
    - ppc/pnv: generate dtb after machine initialization is complete
    - ppc/pnv: fix dumpdtb option
    - block/mirror: fix assertion failure upon duplicate complete
      for job using 'replaces'
    - throttle-group: Fix race condition in throttle_group_restart_queue()
    - target/i386: fix NULL pointer dereference in legacy-cache=off handling
    - hw/dma/pl080: Ignore bottom 2 bits of LLI register
    - hw/dma/pl080: Update interrupts after pl080_run()
    - hw/dma/pl080: Handle bogus swidth and dwidth in transfers
    - linux-user: fix mremap with old_size=0 for shared mappings
    - linux-user: Fix zero_bss for RX PT_LOAD segments
    - hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug
 .
   * 10.0.9 stable/bugfix release:
    - Update version for 10.0.9 release
    - hyperv/syndbg: check length returned by cpu_physical_memory_map()
      (Closes: CVE-2026-3842)
    - fuse: Copy write buffer content before polling
    - target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch
    - target/loongarch: Preserve PTE permission bits in LDPTE
    - hw/net/npcm_gmac: Catch accesses off the end of the register array
    - linux-user: fix TIOCGSID ioctl
    - tests/tcg/multiarch/test-mmap: Check mmaps beyond reserved_va
    - bsd-user: Deal with mmap where start > reserved_va
    - linux-user: Deal with mmap where start > reserved_va
    - hw/net/xilinx_ethlite: Check for oversized TX packets
    - virtio-gpu: Ensure BHs are invoked only from main-loop thread
    - block/nfs: Do not enter coroutine from CB
    - block: Never drop BLOCK_IO_ERROR with action=stop for rate limiting
    - block/throttle-groups: fix deadlock with iolimits and muliple iothreads
    - mirror: Fix missed dirty bitmap writes during startup
      (Closes: #1129349)
    - block/curl: fix concurrent completion handling
    - block/vmdk: fix OOB read in vmdk_read_extent()
      (Closes: #1128478, CVE-2026-2243)
    - hw/net/smc91c111: Don't allow negative-length packets
    - io: fix cleanup for websock I/O source data on cancellation
    - io: fix cleanup for TLS I/O source data on cancellation
    - io: separate freeing of tasks from marking them as complete
    - target/i386/hvf/x86_mmu: Fix compiler warning
    - hw/i386/vmmouse: Fix hypercall clobbers
    - tests/docker: upgrade most non-lcitool debian tests to debian 13
    - hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat
      for fs synth driver
    - hw/9pfs: fix data race in v9fs_mark_fids_unreclaim()
    - target/arm: set the correct TI bits for WFIT traps
    - hw/ssi/xilinx_spips: Reset TX FIFO in reset
    - hw/misc/virt_ctrl: Fix incorrect trace event in read operation
    - virtio-snd: tighten read amount in in_cb
      (Closes: #1129604, CVE-2026-3195)
    - virtio-snd: fix max_size bounds check in input cb
      (Closes: #1129604, CVE-2026-3195)
    - virtio-snd: handle 5.14.6.2 for PCM_INFO properly
      (Closes: #1129605, CVE-2026-3196)
    - virtio-snd: remove TODO comments
    - virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type
      (was in virtio-gpu-virgl-Add-virtio-gpu-virgl-hostmem-region.patch)
    - target/arm: Fix feature check in DO_SVE2_RRX, DO_SVE2_RRX_TB
    - target/arm: Account for SME in aarch64_sve_narrow_vq() assertion
    - target/arm: Introduce ARMCPU.sme_max_vq
    - hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
    - docs/about/emulation: Add documentation for hotblocks plugin arguments
    - contrib/plugins/hotblocks: Print uint64_t with PRIu64 rather than PRId64
    - contrib/plugins/hotblocks: Fix off by one error in iteration
      of sorted blocks
    - contrib/plugins/hotblocks: Correctly free sorted counts list
    - contrib/plugins: Fix type conflict of GLib function pointers
    - python: drop uses of pkg_resources
    - plugins: fix cross-build using LLVM for Windows targets
    - s390x/pci: Fix endianness for zPCI BAR values
Checksums-Sha1:
 6d489125e6cf4c2fd5ee94506bae5b6b6b77c0d2 12560 qemu_10.0.10+ds-0+deb13u1.dsc
 fed5a9ddccdf09002a8f26dc442936c6e4b7d09a 39979984 qemu_10.0.10+ds.orig.tar.xz
 8ccd8eedcdbed7af6bd49da1f7dec25c05a4826e 148364 
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
 41e9f20c4e82591fc5c869c8cdbaffdfa56c5397 8302 
qemu_10.0.10+ds-0+deb13u1_source.buildinfo
Checksums-Sha256:
 0a3a55cf1c9ab05709708abacc79a50309dbe5f9c711e0d40dd4bf5220d3ae7a 12560 
qemu_10.0.10+ds-0+deb13u1.dsc
 fdf3f4dd475cd7771db0407556cd98b3adcdc0a3a0cba1b5b93b320f3d1a135e 39979984 
qemu_10.0.10+ds.orig.tar.xz
 9f6ab62c7f079e62571ebffada243c95ca042b56a9535e90508bf76fff116c24 148364 
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
 d083764143a64b95aaa9cf9b78e63d09e4608d182c8dcf4132e0cc025c7f2e20 8302 
qemu_10.0.10+ds-0+deb13u1_source.buildinfo
Files:
 7ac7978c2eb405bbae7ca645bb0c3dd8 12560 otherosfs optional 
qemu_10.0.10+ds-0+deb13u1.dsc
 77d77a340cd841ad86bdbfc481ca5a4e 39979984 otherosfs optional 
qemu_10.0.10+ds.orig.tar.xz
 9f693854cde70a1ca83283207371117b 148364 otherosfs optional 
qemu_10.0.10+ds-0+deb13u1.debian.tar.xz
 29bf446853b3e68c7ccf40025a64eacf 8302 otherosfs optional 
qemu_10.0.10+ds-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqKldWCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcQ1YAfzOvxi3ZrsY2/KfmwaggbYPLTkKrHt/UDt4BZ
SxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAClBhAAxARDk60LxvR5RWSKy5LhNvqY
aUOuQ0dfLqjfjZfiZ5Je/geIlPAooI0PvJASmk/F9/o+7Jdwlpkuawo44ue6LtXN
iduH/Qx6dC8iFHJKtGgdz2eqelSbh2gNpFXDoryirVvOwOy0NlHULjSgP0jA3ua4
6NI/csXCJIUjQ0dd6i07TsuZV+mfCIkuWcWega7FWr96sbzud/bsUMSf8pmx0b12
FrmX3RVHvJUeD8ID/pd8YSQUMrVW5RrQHRZFivfcCvVthWcL/1rr37N41L+GGW87
z+WEzXvYztN8P4EVsLC53Yo+LEiKV2DNXwTZgKDnB56Si8yFMqpdov+6lT+IG4MP
oLB7o2jjBNgg2uX7vUCk3DIu2XgCz+mjTiUXXhcuR4mfTBDuqF1wBsNJwOBfQSfV
jE8njKzRU78MFobLpoakVe1JoKVAdnoBTTOngfa0V5LXavTUouyxqYKEJbcIydSV
6xJP3alYNoBV3cOp3pYXrHiOB8NiA2iQTjAGG+BKgm0Bm6wJFtSU7jVojt581VrI
+3lXeq5sFZhut06rp3ZXGBcfe0QuSfpqCX0e0pv5OAeYOZr+KeIwIAUN4vTIegFD
CaOraGjTHPR7tgHrIPJ2w1+9EhSwZ/rmy9wkSGP/CiATq5R6eWFuzMKsIS4u/LDQ
QRF4pU0mu10oTzihdr8=
=3cRM
-----END PGP SIGNATURE-----

Attachment: pgpMKmj6W6BOq.pgp
Description: PGP signature

Reply via email to