Bug#1007931: marked as done (buster-pu: package qemu/1:3.1+dfsg-8+deb10u9)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 03 Sep 2022 18:54:31 +0100
with message-id <77db8e800e37865531ef15fe3172af6c97b237c7.camel@adam-barratt.org.uk>
and subject line Re: Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
has caused the Debian Bug report #1007931,
regarding buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007931: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 18 Mar 2022 20:06:16 +0100
• Message-id: <164763037653.6848.9960823807734521628.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mjt@tls.msk.ru

Various low severity qemu issues, but since quite a few
of those have piled up, it makes sense to move to an
update. Debdiff below.

Cheers,
        Moritz

diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog	2020-07-24 14:00:34.000000000 +0200
+++ qemu-3.1+dfsg/debian/changelog	2022-02-15 18:53:24.000000000 +0100
@@ -1,3 +1,34 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium
+
+  * CVE-2021-3930
+  * CVE-2021-3748 (Closes: #993401)
+  * CVE-2021-3713 (Closes: #992727)
+  * CVE-2021-3682 (Closes: #991911)
+  * CVE-2021-3608 (Closes: #990563)
+  * CVE-2021-3607 (Closes: #990564)
+  * CVE-2021-3582 (Closes: #990565)
+  * CVE-2021-3527 (Closes: #988157)
+  * CVE-2021-3392 (Closes: #984449)
+  * CVE-2021-20257 (Closes: #984450)
+  * CVE-2021-20221
+  * CVE-2021-20203 (Closes: #984452)
+  * CVE-2021-20196 (Closes: #984453)
+  * CVE-2021-20181
+  * CVE-2020-35505 (Closes: #979679)
+  * CVE-2020-35504 (Closes: #979679)
+  * CVE-2020-27617 (Closes: #973324)
+  * CVE-2020-25723 (Closes: #975276)
+  * CVE-2020-25624 (Closes: #970541)
+  * CVE-2020-25625 (Closes: #970542)
+  * CVE-2020-25085 (Closes: #970540)
+  * CVE-2020-25084 (Closes: #970539)
+  * CVE-2020-15859 (Closes: #965978)
+  * CVE-2020-13253 (Closes: #961297)
+  * None of the slirp changes got backported to 3.1, if you use it you should
+    really upgrade to the version of qemu in bullseye
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 15 Feb 2022 18:53:24 +0100
+
 qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
 
   * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch	2022-02-01 16:26:24.000000000 +0100
@@ -0,0 +1,80 @@
+790762e5487114341cccc5bffcec4cb3c022c3cd / CVE-2020-13253
+
+--- qemu-3.1+dfsg.orig/hw/sd/sd.c
++++ qemu-3.1+dfsg/hw/sd/sd.c
+@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S
+     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_sendingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+-
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             return sd_r1;
+ 
+         default:
+@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S
+     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_sendingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+-
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             return sd_r1;
+ 
+         default:
+@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             if (sd_wp_addr(sd, sd->data_start))
+                 sd->card_status |= WP_VIOLATION;
+             if (sd->csd[14] & 0x30)
+@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             if (sd_wp_addr(sd, sd->data_start))
+                 sd->card_status |= WP_VIOLATION;
+             if (sd->csd[14] & 0x30)
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch	2022-02-01 16:31:48.000000000 +0100
@@ -0,0 +1,14 @@
+22dc8663d9fc7baa22100544c600b6285a63c7a3 / CVE-2020-15859
+
+--- qemu-3.1+dfsg.orig/net/queue.c
++++ qemu-3.1+dfsg/net/queue.c
+@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queu
+ 
+ bool qemu_net_queue_flush(NetQueue *queue)
+ {
++    if (queue->delivering)
++        return false;
++
+     while (!QTAILQ_EMPTY(&queue->packets)) {
+         NetPacket *packet;
+         int ret;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch	2022-02-01 16:36:57.000000000 +0100
@@ -0,0 +1,16 @@
+21bc31524e8ca487e976f713b878d7338ee00df2 / CVE-2020-25084
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-xhci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-xhci.c
+@@ -1607,7 +1607,10 @@ static int xhci_setup_packet(XHCITransfe
+     xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
+     usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
+                      xfer->trbs[0].addr, false, xfer->int_req);
+-    usb_packet_map(&xfer->packet, &xfer->sgl);
++    if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
++        qemu_sglist_destroy(&xfer->sgl);
++        return -1;
++    }
+     DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
+             xfer->packet.pid, ep->dev->addr, ep->nr);
+     return 0;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch	2022-02-01 16:41:15.000000000 +0100
@@ -0,0 +1,13 @@
+dfba99f17feb6d4a129da19d38df1bcd8579d1c3 / CVE-2020-25085
+
+--- qemu-3.1+dfsg.orig/hw/sd/sdhci.c
++++ qemu-3.1+dfsg/hw/sd/sdhci.c
+@@ -1144,7 +1144,7 @@ sdhci_write(void *opaque, hwaddr offset,
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+-            MASKED_WRITE(s->blksize, mask, value);
++            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+         }
+ 
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch	2022-02-01 17:10:14.000000000 +0100
@@ -0,0 +1,58 @@
+1328fe0c32d5474604105b8105310e944976b058 / CVE-2020-25624
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ohci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ohci.c
+@@ -797,7 +797,11 @@ static int ohci_service_iso_td(OHCIState
+     }
+ 
+     start_offset = iso_td.offset[relative_frame_number];
+-    next_offset = iso_td.offset[relative_frame_number + 1];
++    if (relative_frame_number < frame_count) {
++        next_offset = iso_td.offset[relative_frame_number + 1];
++    } else {
++        next_offset = iso_td.be;
++    }
+ 
+     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
+         ((relative_frame_number < frame_count) && 
+@@ -830,7 +834,12 @@ static int ohci_service_iso_td(OHCIState
+         }
+     } else {
+         /* Last packet in the ISO TD */
+-        end_addr = iso_td.be;
++        end_addr = next_offset;
++    }
++
++    if (start_addr > end_addr) {
++        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++        return 1;
+     }
+ 
+     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -839,6 +848,9 @@ static int ohci_service_iso_td(OHCIState
+     } else {
+         len = end_addr - start_addr + 1;
+     }
++    if (len > sizeof(ohci->usb_buf)) {
++        len = sizeof(ohci->usb_buf);
++    }
+ 
+     if (len && dir != OHCI_TD_DIR_IN) {
+         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -1037,8 +1049,16 @@ static int ohci_service_td(OHCIState *oh
+         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+         } else {
++            if (td.cbp > td.be) {
++                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++                ohci_die(ohci);
++                return 1;
++            }
+             len = (td.be - td.cbp) + 1;
+         }
++        if (len > sizeof(ohci->usb_buf)) {
++            len = sizeof(ohci->usb_buf);
++        }
+ 
+         pktlen = len;
+         if (len && dir != OHCI_TD_DIR_IN) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch	2022-02-01 16:53:28.000000000 +0100
@@ -0,0 +1,15 @@
+1be90ebecc95b09a2ee5af3f60c412b45a766c4f / CVE-2020-25625
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ohci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ohci.c
+@@ -753,6 +753,10 @@ static int ohci_service_iso_td(OHCIState
+            the next ISO TD of the same ED */
+         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+                                                         frame_count);
++        if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
++            /* avoid infinite loop */
++            return 1;
++        }
+         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+         ed->head &= ~OHCI_DPTR_MASK;
+         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch	2022-02-01 17:13:16.000000000 +0100
@@ -0,0 +1,28 @@
+2fdb42d840400d58f2e706ecca82c142b97bcbd6 / CVE-2020-25723
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ehci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ehci.c
+@@ -1371,7 +1371,10 @@ static int ehci_execute(EHCIPacket *p, c
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
++        if (usb_packet_map(&p->packet, &p->sgl)) {
++            qemu_sglist_destroy(&p->sgl);
++            return -1;
++        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+ 
+@@ -1447,7 +1450,10 @@ static int ehci_process_itd(EHCIState *e
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
++                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++                    qemu_sglist_destroy(&ehci->isgl);
++                    return -1;
++                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch	2022-02-01 17:17:03.000000000 +0100
@@ -0,0 +1,24 @@
+7564bf7701f00214cdc8a678a9f7df765244def1 / CVE-2020-27617
+
+--- qemu-3.1+dfsg.orig/net/eth.c
++++ qemu-3.1+dfsg/net/eth.c
+@@ -16,6 +16,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "qemu-common.h"
+@@ -72,9 +73,8 @@ eth_get_gso_type(uint16_t l3_proto, uint
+             return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+         }
+     }
+-
+-    /* Unsupported offload */
+-    g_assert_not_reached();
++    qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++        "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+ 
+     return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch	2022-02-04 17:20:46.000000000 +0100
@@ -0,0 +1,26 @@
+0db895361b8a82e1114372ff9f4857abea605701 / CVE-2020-35504
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s)
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         return;
+     }
++    if (!s->current_req) {
++        return;
++    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;
+@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s)
+     } else {
+         s->dma_memory_write(s->dma_opaque, s->async_buf, len);
+     }
++
++    if (!s->current_req) {
++        return;
++    }
++
+     s->dma_left -= len;
+     s->async_buf += len;
+     s->async_len -= len;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch	2022-02-04 17:30:17.000000000 +0100
@@ -0,0 +1,15 @@
+99545751734035b76bd372c4e7215bb337428d89 / CVE-2020-35505
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -135,6 +135,10 @@ static void do_busid_cmd(ESPState *s, ui
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
++
++    if (!s->current_dev) {
++        return;
++    }
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch	2022-02-04 17:33:05.000000000 +0100
@@ -0,0 +1,25 @@
+89fbea8737e8f7b954745a1ffc4238d377055305 / CVE-2021-20181
+
+--- qemu-3.1+dfsg.orig/hw/9pfs/9p.c
++++ qemu-3.1+dfsg/hw/9pfs/9p.c
+@@ -498,9 +498,9 @@ static int coroutine_fn v9fs_mark_fids_u
+ {
+     int err;
+     V9fsState *s = pdu->s;
+-    V9fsFidState *fidp, head_fid;
++    V9fsFidState *fidp;
+ 
+-    head_fid.next = s->fid_list;
++again:
+     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+         if (fidp->path.size != path->size) {
+             continue;
+@@ -520,7 +520,7 @@ static int coroutine_fn v9fs_mark_fids_u
+              * switched to the worker thread
+              */
+             if (err == 0) {
+-                fidp = &head_fid;
++                goto again;
+             }
+         }
+     }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch	2022-02-04 20:11:13.000000000 +0100
@@ -0,0 +1,52 @@
+d05dcd94aee88728facafb993c7280547eb4d645 / CVE-2021-20203
+
+--- qemu-3.1+dfsg.orig/hw/net/vmxnet3.c
++++ qemu-3.1+dfsg/hw/net/vmxnet3.c
+@@ -1532,6 +1532,7 @@ static void vmxnet3_activate_device(VMXN
+     vmxnet3_setup_rx_filtering(s);
+     /* Cache fields from shared memory */
+     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
++    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+     VMW_CFPRN("MTU is %u", s->mtu);
+ 
+     s->max_rx_frags =
+@@ -1585,6 +1586,9 @@ static void vmxnet3_activate_device(VMXN
+         /* Read rings memory locations for TX queues */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
++        if (size > VMXNET3_TX_RING_MAX_SIZE) {
++            size = VMXNET3_TX_RING_MAX_SIZE;
++        }
+ 
+         vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxDesc), false);
+@@ -1595,6 +1599,9 @@ static void vmxnet3_activate_device(VMXN
+         /* TXC ring */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
++        if (size > VMXNET3_TC_RING_MAX_SIZE) {
++            size = VMXNET3_TC_RING_MAX_SIZE;
++        }
+         vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxCompDesc), true);
+         VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+@@ -1636,6 +1643,9 @@ static void vmxnet3_activate_device(VMXN
+             /* RX rings */
+             pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
+             size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
++            if (size > VMXNET3_RX_RING_MAX_SIZE) {
++                size = VMXNET3_RX_RING_MAX_SIZE;
++            }
+             vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
+                               sizeof(struct Vmxnet3_RxDesc), false);
+             VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+@@ -1645,6 +1655,9 @@ static void vmxnet3_activate_device(VMXN
+         /* RXC ring */
+         pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
++        if (size > VMXNET3_RC_RING_MAX_SIZE) {
++            size = VMXNET3_RC_RING_MAX_SIZE;
++        }
+         vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_RxCompDesc), true);
+         VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch	2022-02-11 17:20:09.000000000 +0100
@@ -0,0 +1,13 @@
+edfe2eb4360cde4ed5d95bda7777edcb3510f76a / CVE-2021-20221
+
+--- qemu-3.1+dfsg.orig/hw/intc/arm_gic.c
++++ qemu-3.1+dfsg/hw/intc/arm_gic.c
+@@ -1453,7 +1453,7 @@ static void gic_dist_writel(void *opaque
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
++        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch	2022-02-11 17:23:08.000000000 +0100
@@ -0,0 +1,22 @@
+3de46e6fc489c52c9431a8a832ad8170a7569bd8 / CVE-2021-20257
+
+--- qemu-3.1+dfsg.orig/hw/net/e1000.c
++++ qemu-3.1+dfsg/hw/net/e1000.c
+@@ -657,6 +657,9 @@ process_tx_desc(E1000State *s, struct e1
+         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+         do {
+             bytes = split_size;
++            if (tp->size >= msh) {
++                goto eop;
++            }
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+ 
+@@ -682,6 +685,7 @@ process_tx_desc(E1000State *s, struct e1
+         tp->size += split_size;
+     }
+ 
++eop:
+     if (!(txd_lower & E1000_TXD_CMD_EOP))
+         return;
+     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch	2022-02-11 17:25:18.000000000 +0100
@@ -0,0 +1,45 @@
+3791642c8d60029adf9b00bcb4e34d7d8a1aea4d / CVE-2021-3392
+
+--- qemu-3.1+dfsg.orig/hw/scsi/mptsas.c
++++ qemu-3.1+dfsg/hw/scsi/mptsas.c
+@@ -252,13 +252,10 @@ static int mptsas_build_sgl(MPTSASState
+ 
+ static void mptsas_free_request(MPTSASRequest *req)
+ {
+-    MPTSASState *s = req->dev;
+-
+     if (req->sreq != NULL) {
+         req->sreq->hba_private = NULL;
+         scsi_req_unref(req->sreq);
+         req->sreq = NULL;
+-        QTAILQ_REMOVE(&s->pending, req, next);
+     }
+     qemu_sglist_destroy(&req->qsg);
+     g_free(req);
+@@ -304,7 +301,6 @@ static int mptsas_process_scsi_io_reques
+     }
+ 
+     req = g_new0(MPTSASRequest, 1);
+-    QTAILQ_INSERT_TAIL(&s->pending, req, next);
+     req->scsi_io = *scsi_io;
+     req->dev = s;
+ 
+@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevic
+ 
+     s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+ 
+-    QTAILQ_INIT(&s->pending);
+-
+     scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
+ }
+ 
+--- qemu-3.1+dfsg.orig/hw/scsi/mptsas.h
++++ qemu-3.1+dfsg/hw/scsi/mptsas.h
+@@ -74,7 +74,6 @@ struct MPTSASState {
+     uint16_t reply_frame_size;
+ 
+     SCSIBus bus;
+-    QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+ 
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch	2022-02-11 17:30:48.000000000 +0100
@@ -0,0 +1,45 @@
+7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 and 05a40b172e4d691371534828078be47e7fff524c
+CVE-2021-3527
+
+--- qemu-3.1+dfsg.orig/hw/usb/combined-packet.c
++++ qemu-3.1+dfsg/hw/usb/combined-packet.c
+@@ -172,7 +172,9 @@ void usb_ep_combine_input_packets(USBEnd
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
++                (totalsize == (16 * KiB - 36) && p->int_req) ||
++                /* Next package may grow combined package over 1MiB */
++                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+--- qemu-3.1+dfsg.orig/hw/usb/redirect.c
++++ qemu-3.1+dfsg/hw/usb/redirect.c
+@@ -602,7 +602,7 @@ static void usbredir_handle_iso_data(USB
+                 .endpoint = ep,
+                 .length = p->iov.size
+             };
+-            uint8_t buf[p->iov.size];
++            g_autofree uint8_t *buf = g_malloc(p->iov.size);
+             /* No id, we look at the ep when receiving a status back */
+             usb_packet_copy(p, buf, p->iov.size);
+             usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -800,7 +800,7 @@ static void usbredir_handle_bulk_data(US
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+                                         &bulk_packet, NULL, 0);
+     } else {
+-        uint8_t buf[size];
++        g_autofree uint8_t *buf = g_malloc(size);
+         usb_packet_copy(p, buf, size);
+         usbredir_log_data(dev, "bulk data out:", buf, size);
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -873,7 +873,7 @@ static void usbredir_handle_interrupt_ou
+                                                USBPacket *p, uint8_t ep)
+ {
+     struct usb_redir_interrupt_packet_header interrupt_packet;
+-    uint8_t buf[p->iov.size];
++    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ 
+     DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+             p->iov.size, p->id);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch	2022-02-14 17:28:53.000000000 +0100
@@ -0,0 +1,18 @@
+284f191b4abad213aed04cb0458e1600fd18d7c4 / CVE-2021-3582
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_cmd.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_cmd.c
+@@ -39,6 +39,13 @@ static void *pvrdma_map_to_pdir(PCIDevic
+         return NULL;
+     }
+ 
++    length = ROUND_UP(length, TARGET_PAGE_SIZE);
++    if (nchunks * TARGET_PAGE_SIZE != length) {
++        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++                          (unsigned long)length);
++        return NULL;
++    }
++
+     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+         error_report("PVRDMA: Failed to map to page directory");
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch	2022-02-15 15:14:56.000000000 +0100
@@ -0,0 +1,15 @@
+32e5703cfea07c91e6e84bcb0313f633bb146534 / CVE-2021-3607
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_main.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_main.c
+@@ -71,6 +71,10 @@ static int init_dev_ring(PvrdmaRing *rin
+     pr_dbg("Initializing device ring %s\n", name);
+     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)dir_addr);
+     pr_dbg("num_pages=%d\n", num_pages);
++    if (!num_pages) {
++        rdma_error_report("Ring pages count must be strictly positive");
++        return -EINVAL;
++    }
+     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+     if (!dir) {
+         pr_err("Failed to map to page directory\n");
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch	2022-02-15 15:17:10.000000000 +0100
@@ -0,0 +1,13 @@
+66ae37d8cc313f89272e711174a846a229bcdbd3 /CVE-2021-3608
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_dev_ring.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -42,7 +42,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
+     atomic_set(&ring->ring_state->cons_head, 0);
+     */
+     ring->npages = npages;
+-    ring->pages = g_malloc(npages * sizeof(void *));
++    ring->pages = g_malloc0(npages * sizeof(void *));
+ 
+     for (i = 0; i < npages; i++) {
+         if (!tbl[i]) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch	2022-02-15 15:18:56.000000000 +0100
@@ -0,0 +1,13 @@
+5e796671e6b8d5de4b0b423dce1b3eba144a92c9 / CVE-2021-3682
+
+--- qemu-3.1+dfsg.orig/hw/usb/redirect.c
++++ qemu-3.1+dfsg/hw/usb/redirect.c
+@@ -458,7 +458,7 @@ static int bufp_alloc(USBRedirDevice *de
+     if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+         if (dev->endpoint[EP2I(ep)].bufpq_size >
+                 dev->endpoint[EP2I(ep)].bufpq_target_size) {
+-            free(data);
++            free(free_on_destroy);
+             return -1;
+         }
+         dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch	2022-02-15 18:40:40.000000000 +0100
@@ -0,0 +1,36 @@
+13b250b12ad3c59114a6a17d59caf073ce45b33a / CVE-2021-3713
+
+--- qemu-3.1+dfsg.orig/hw/usb/dev-uas.c
++++ qemu-3.1+dfsg/hw/usb/dev-uas.c
+@@ -827,6 +827,9 @@ static void usb_uas_handle_data(USBDevic
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -854,6 +857,9 @@ static void usb_uas_handle_data(USBDevic
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -889,6 +895,11 @@ static void usb_uas_handle_data(USBDevic
+         p->status = USB_RET_STALL;
+         break;
+     }
++
++err_stream:
++    error_report("%s: invalid stream %d", __func__, p->stream);
++    p->status = USB_RET_STALL;
++    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch	2022-02-15 18:42:34.000000000 +0100
@@ -0,0 +1,94 @@
+bedd7e93d01961fcb16a97ae45d93acf357e11f6 / CVE-2021-3748
+
+--- qemu-3.1+dfsg.orig/hw/net/virtio-net.c
++++ qemu-3.1+dfsg/hw/net/virtio-net.c
+@@ -1194,10 +1194,13 @@ static ssize_t virtio_net_receive_rcu(Ne
+     VirtIONet *n = qemu_get_nic_opaque(nc);
+     VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+     VirtIODevice *vdev = VIRTIO_DEVICE(n);
++    VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++    size_t lens[VIRTQUEUE_MAX_SIZE];
+     struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+     struct virtio_net_hdr_mrg_rxbuf mhdr;
+     unsigned mhdr_cnt = 0;
+-    size_t offset, i, guest_offset;
++    size_t offset, i, guest_offset, j;
++    ssize_t err;
+ 
+     if (!virtio_net_can_receive(nc)) {
+         return -1;
+@@ -1220,6 +1223,12 @@ static ssize_t virtio_net_receive_rcu(Ne
+ 
+         total = 0;
+ 
++        if (i == VIRTQUEUE_MAX_SIZE) {
++            virtio_error(vdev, "virtio-net unexpected long buffer chain");
++            err = size;
++            goto err;
++        }
++
+         elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+             if (i) {
+@@ -1231,7 +1240,8 @@ static ssize_t virtio_net_receive_rcu(Ne
+                              n->guest_hdr_len, n->host_hdr_len,
+                              vdev->guest_features);
+             }
+-            return -1;
++            err = -1;
++            goto err;
+         }
+ 
+         if (elem->in_num < 1) {
+@@ -1239,7 +1249,8 @@ static ssize_t virtio_net_receive_rcu(Ne
+                          "virtio-net receive queue contains no in buffers");
+             virtqueue_detach_element(q->rx_vq, elem, 0);
+             g_free(elem);
+-            return -1;
++            err = -1;
++            goto err;
+         }
+ 
+         sg = elem->in_sg;
+@@ -1271,12 +1282,13 @@ static ssize_t virtio_net_receive_rcu(Ne
+         if (!n->mergeable_rx_bufs && offset < size) {
+             virtqueue_unpop(q->rx_vq, elem, total);
+             g_free(elem);
+-            return size;
++            err = size;
++            goto err;
+         }
+ 
+-        /* signal other side */
+-        virtqueue_fill(q->rx_vq, elem, total, i++);
+-        g_free(elem);
++        elems[i] = elem;
++        lens[i] = total;
++        i++;
+     }
+ 
+     if (mhdr_cnt) {
+@@ -1286,10 +1298,23 @@ static ssize_t virtio_net_receive_rcu(Ne
+                      &mhdr.num_buffers, sizeof mhdr.num_buffers);
+     }
+ 
++    for (j = 0; j < i; j++) {
++        /* signal other side */
++        virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++        g_free(elems[j]);
++    }
++
+     virtqueue_flush(q->rx_vq, i);
+     virtio_notify(vdev, q->rx_vq);
+ 
+     return size;
++
++err:
++    for (j = 0; j < i; j++) {
++        g_free(elems[j]);
++    }
++
++    return err;
+ }
+ 
+ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf,
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch	1970-01-01 01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch	2022-02-15 18:44:07.000000000 +0100
@@ -0,0 +1,24 @@
+b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 / CVE-2021-3930
+
+--- qemu-3.1+dfsg.orig/hw/scsi/scsi-disk.c
++++ qemu-3.1+dfsg/hw/scsi/scsi-disk.c
+@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+ 
++    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1422,6 +1423,11 @@ static int scsi_disk_check_mode_select(S
+         return -1;
+     }
+ 
++    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++    if (page == MODE_PAGE_ALLS) {
++        return -1;
++    }
++
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series	2020-07-24 14:00:34.000000000 +0200
+++ qemu-3.1+dfsg/debian/patches/series	2022-02-15 18:53:24.000000000 +0100
@@ -49,3 +49,26 @@
 sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch
 usb-fix-setup_len-init-CVE-2020-14364.patch
 net-assertion-in-net_tx_pkt_add_raw_fragment-CVE-2020-16092.patch
+CVE-2020-13253.patch
+CVE-2020-15859.patch
+CVE-2020-25084.patch
+CVE-2020-25085.patch
+CVE-2020-25625.patch
+CVE-2020-25624.patch
+CVE-2020-25723.patch
+CVE-2020-27617.patch
+CVE-2020-35504.patch
+CVE-2020-35505.patch
+CVE-2021-20181.patch
+CVE-2021-20203.patch
+CVE-2021-20221.patch
+CVE-2021-20257.patch
+CVE-2021-3392.patch
+CVE-2021-3527.patch
+CVE-2021-3582.patch
+CVE-2021-3607.patch
+CVE-2021-3608.patch
+CVE-2021-3682.patch
+CVE-2021-3713.patch
+CVE-2021-3748.patch
+CVE-2021-3930.patch

--- End Message ---

--- Begin Message ---

• To: Abhijith PA <abhijith@debian.org>, 1007931-done@bugs.debian.org, jmm@debian.org
• Subject: Re: Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 03 Sep 2022 18:54:31 +0100
• Message-id: <77db8e800e37865531ef15fe3172af6c97b237c7.camel@adam-barratt.org.uk>
• In-reply-to: <YwNKaYDB3mOTPQqd@debian.org>
• References: <164763037653.6848.9960823807734521628.reportbug@hullmann.westfalen.local> <YwNKaYDB3mOTPQqd@debian.org>

On Mon, 2022-08-22 at 14:50 +0530, Abhijith PA wrote:
> Hello Moritz, 
> 
> I've prepared a qemu build months back fixing pending CVEs then. I 
> have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your 
> diff and backported a new CVE, fixing total of ~35 CVEs. 
> 
> I've tested on my setup and seems fine. Can you please test with 
> latest build[1].
> 
> Debdiff attached.
> 
> 
> 
> --abhiijith
> 
> 1 - 
> https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 

It looks like this was released via LTS; re-closing.

Regards,

Adam

--- End Message ---