-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5983-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 22, 2025 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : qemu CVE ID : CVE-2025-54566 CVE-2025-54567 This update removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user package, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment. In Bookworm the affected packages are qemu-user-static (and qemu-user-binfmt) instead of qemu-user. Additionally, two security issues were fixed the in SR-IOV support of QEMU system emulation. For the oldstable distribution (bookworm), these problems have been fixed in version 1:7.2+dfsg-7+deb12u15. For the stable distribution (trixie), these problems have been fixed in version 1:10.0.2+ds-2+deb13u1. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: [email protected] -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmiouaUACgkQEMKTtsN8 TjYzfRAAvDaO3Ia2zPie5VU7oYK9KfUb9muqXLyQQNW62sEnHz8s6mp8VqdEOB+Q 7BtOKJxZwt4VbnMUr0uDY5o5AHjYywbiPQzamD2gL+tpURUOb5A7QEOZYz7p3sdC 74ggfx39wiaFrqMSv7b1VJWdwAxnRdDRFdj54PqFNVSfi5NQOCfv99FEvHdhqEct Lc2fUwlsA9obm+J0gvRpQ04mVuT1go4NALtroUGy9NgeFJkZcbu4h7EnhvT3Q6uf I2z7Nee+oqbnr8Cuj5tSysJF+JqmjQLdwnBHhR/y1sRMRNeCV2L9vxyMmEqGPI18 /Vm0SG05DvqDKexG5Zyf7Rc3lwP1NZFljH7amzIPnioTy91ZB5TpECsp2NKsPNmc +ERIAMH+2kZk7Jasm7r1MosW1fQH976PllKqu6yACHFHHWnQR7aC+YdcNMDlNThp lLeTwK/M1kjhBv/BdLlPPFGDJalaaP9vDk7qsscyDQVohHyqIFBTxJkN/qqfrc12 BA/lDMdlKuU5KTNCpJmk8WGQpLllnjDqepJaG8c+WSie48tg0B1/r03xPt3y0KDY 2lAadQhQ15h7kjrfnvd/ZXaSVkcF2zdCcwZbElCfmgh7Jlm3Gd2BQQNV03Us9XFK /5C8FSuUulETHiFROuLiwe8TjxQ8e6bvvW5xV5Xhnlc+VT2G2go= =s2Hd -----END PGP SIGNATURE-----
