Message ID | 20230614210926.7723-1-romain.naour@smile.fr |
---|---|
State | Accepted |
Headers | show |
Series | package/qemu: bump to version 8.0.2 | expand |
>>>>> "Romain" == Romain Naour <romain.naour@smile.fr> writes: > Fixes CVE-2023-0330: > A vulnerability in the lsi53c895a device affects the latest version of > qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs > like stack overflow or use-after-free. > See: > https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00221.html Committed after marking it a security bump, thanks. Looks like we need to bump 2023.02.x to 7.2.3 for the same fix: https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00218.html
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Romain" == Romain Naour <romain.naour@smile.fr> writes: >> Fixes CVE-2023-0330: >> A vulnerability in the lsi53c895a device affects the latest version of >> qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs >> like stack overflow or use-after-free. >> See: >> https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00221.html > Committed after marking it a security bump, thanks. > Looks like we need to bump 2023.02.x to 7.2.3 for the same fix: > https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00218.html Committed to 2023.05.x, thanks.
diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash index e76aef0b3a..b6fcad83e2 100644 --- a/package/qemu/qemu.hash +++ b/package/qemu/qemu.hash @@ -1,4 +1,4 @@ # Locally computed, tarball verified with GPG signature -sha256 bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb91131e56d0 qemu-8.0.0.tar.xz +sha256 f060abd435fbe6794125e2c398568ffc3cfa540042596907a8b18edca34cf6a5 qemu-8.0.2.tar.xz sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100 COPYING sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk index 6a6905d75f..c530896fa8 100644 --- a/package/qemu/qemu.mk +++ b/package/qemu/qemu.mk @@ -6,7 +6,7 @@ # When updating the version, check whether the list of supported targets # needs to be updated. -QEMU_VERSION = 8.0.0 +QEMU_VERSION = 8.0.2 QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz QEMU_SITE = https://download.qemu.org QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c
Fixes CVE-2023-0330: A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. See: https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00221.html Signed-off-by: Romain Naour <romain.naour@smile.fr> --- package/qemu/qemu.hash | 2 +- package/qemu/qemu.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)