On 12/16/25 19:15, Salvatore Bonaccorso wrote: Hi!
There are 2 new upstream stable/bugfix releases in the 7.2.x LTS branch. The number of fixes this time is relatively small, and many of them are to the testsuite, in an attempt to keep tests running. Among other things, this fixes two security issues: #1119917, CVE-2025-12464 (buffer overflow in e1000_receive_iov) #1117153, CVE-2025-11234 (UAF in websocket handshake code)Just a question for proper tracking, shouldn't we consider the CVE-2025-12464 issue only beeing introduced with 8.1.0 according to the commit https://lore.kernel.org/qemu-devel/20251028160042.3321933-1-peter.maydell@linaro.org/T/#u https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d78089e9e585faaeb19afccff2050abf ?
This is a very good question indeed. It looks like I overlooked this one for the 7.2.x branch when picking up the changes. The code in 7.2.x isn't vulnerable to this particular issue. I'll do some more analysis around the matter, - if it should be reverted entirely. At the very least, these changes (several of them) didn't break legitimate usage of e1000 device in 7.2.x, as my tests shows. Thanks, /mjt