Hi Michael, On Thu, Dec 18, 2025 at 07:49:51AM +0300, Michael Tokarev wrote: > On 12/16/25 20:00, Salvatore Bonaccorso wrote: > > Hi Michael, > > > > On Tue, Dec 16, 2025 at 07:49:51PM +0300, Michael Tokarev wrote: > > > On 12/16/25 19:15, Salvatore Bonaccorso wrote: > > > > > > Hi! > > > > Thanks for the quick reply! > > > > > > > There are 2 new upstream stable/bugfix releases in the > > > > > 7.2.x LTS branch. The number of fixes this time is > > > > > relatively small, and many of them are to the testsuite, > > > > > in an attempt to keep tests running. > > > > > > > > > > Among other things, this fixes two security issues: > > > > > #1119917, CVE-2025-12464 (buffer overflow in e1000_receive_iov) > > > > > #1117153, CVE-2025-11234 (UAF in websocket handshake code) > > > > > > > > Just a question for proper tracking, shouldn't we consider the > > > > CVE-2025-12464 issue only beeing introduced with 8.1.0 according to > > > > the commit > > > > https://lore.kernel.org/qemu-devel/[email protected]/T/#u > > > > https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d78089e9e585faaeb19afccff2050abf > > > > ? > > > > > > This is a very good question indeed. It looks like I overlooked this > > > one for the 7.2.x branch when picking up the changes. The code in > > > 7.2.x isn't vulnerable to this particular issue. I'll do some more > > > analysis around the matter, - if it should be reverted entirely. > > > At the very least, these changes (several of them) didn't break > > > legitimate usage of e1000 device in 7.2.x, as my tests shows. > > > > Ack, so for updating the tracking information we hold back and see if > > this is correct not to affect v7.2.22 or not or if it is still > > legitimate to pick the change (but e.g. not consider if to fix the CVE > > or otoh if we need to reevaluate where the issue is introduced). > > So, yes, it was my mistake to include the fix for CVE-2025-12464 > in 7.2.x branch - the fix doesn't do any good there, because the > issue doesn't exist in 7.2.x to begin with. It doesn't do any bad > either. > > I'll remove the "Closes:" tag from the debian/changelog entry for > this (pending) upload. The rest of it stays.
Thank you for analyzing it and reporting back! Regards, Salvatore
