Hi,
Sorry for the late reply.
Thanks for the detailed analysis and testing.
Check this page for our general workflow:
https://lts-team.pages.debian.net/wiki/Development.html
We generally do not work on a patch-by-patch basis, and we need to
(re)perform thorough tests after batch-fixing CVEs, so this is not an
efficient way to contribute.
If you want to get familiar with LTS I would recommend checking
data/dla-needed.txt in the security tracker and pick a simple package to
prepare a full update for. You say you are not DM/DD though, so maybe
preparing a security update for a stable release is not yet suitable for
your learning journey. Security bugs need to be fixed in unstable before
other releases, so you may want to help there in a first step.
Cheers!
Sylvain Beucler
Debian LTS Team
On 11/01/2026 21:16, Juan Mendez wrote:
Hi LTS team,
I've prepared a security fix for qemu in Bullseye and I'm looking for
a sponsor to review and upload it since I a not a DM/DD.
(Note: I am working on several packages including chromium-embedded-
framework and plan to apply for NM soon)
This is my first LTS contribution, I took this one as a way to learn the
process.
## Summary
- Package: qemu
- Version: 1:5.2+dfsg-11+deb11u4 (current: 1:5.2+dfsg-11+deb11u3)
- CVE: CVE-2025-11234
- Debian Bug: #1117153
- Severity: Medium (use-after-free, potential code execution)
## Vulnerability Description
CVE-2025-11234 is a use-after-free vulnerability in QEMU's WebSocket
channel implementation (QIOChannelWebsock). When a QIOChannelWebsock
object is freed while waiting for a handshake to complete, the
associated GSource is not cleaned up properly. This causes callbacks
to be invoked on already-freed memory.
Attack vector: An attacker can trigger this by sending incomplete
WebSocket connections to a QEMU VNC server with WebSocket enabled
(-vnc :0,websocket=PORT).
## The Fix
The fix backports upstream commit cebdbd038e44af56e74272924dc2bf595a51fd8f
(included in QEMU v7.2.22). The changes are:
1. Add new field `guint hs_io_tag` to QIOChannelWebsock structure to
track the GSource associated with the handshake (separate from the
existing io_tag used for normal I/O).
2. Store the GSource ID when scheduling handshake callbacks in
qio_channel_websock_handshake() and qio_channel_websock_handshake_io().
3. Clear hs_io_tag when handshake callbacks complete.
4. Add cleanup of hs_io_tag in qio_channel_websock_finalize() and
qio_channel_websock_close() to prevent use-after-free.
Files modified:
- include/io/channel-websock.h (add hs_io_tag field)
- io/channel-websock.c (track and cleanup GSource)
## Testing Performed
Build testing:
- Built successfully with pbuilder in a clean Bullseye chroot
- All binary packages generated correctly
- Patch applies cleanly with quilt
Functional testing:
- Installed patched QEMU in Docker container (Debian Bullseye)
- Started QEMU with VNC WebSocket enabled (-vnc :99,websocket=5700)
- Stress tested with 50,000+ incomplete WebSocket handshakes
- QEMU remained stable throughout testing (both patched and unpatched)
Note on crash-based testing:
The use-after-free race condition did not trigger a visible crash in
our containerized test environment. This is what I interpret as expected
behavior for UAF
bugs - the race window is extremely small and modern memory allocators
delay reuse of freed memory. Definitive runtime verification would
require rebuilding QEMU with AddressSanitizer (--enable-sanitizers).
The fix is verified correct by:
1. Code review against upstream commit cebdbd038e44
2. Analysis confirming the GSource leak in pre-fix code
3. The fix has been included in QEMU v7.2.22, v10.0.7, v10.1.3
## Patch
The adapted patch for QEMU 5.2 is attached. The original upstream
commit can be found at:
https://gitlab.com/qemu-project/qemu/-/commit/
cebdbd038e44af56e74272924dc2bf595a51fd8f <https://gitlab.com/qemu-
project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f>
## Additional Notes
- Bookworm (QEMU 7.2) is already fixed in 1:7.2+dfsg-7+deb12u18
- The security tracker marks Bullseye as <no-dsa> (Minor issue)
- The fix is minimal, affecting only WebSocket handling
I'm happy to make any changes requested and to provide additional
testing or information as needed, or do a salsa Merge Request instead.
Thanks for your time,
Juan Manuel Méndez Rey <[email protected] <mailto:[email protected]>>
