| Package | qemu |
|---|---|
| Version | 1:3.1+dfsg-8+deb10u13 (buster) |
| Related CVEs | CVE-2023-3019 CVE-2024-3447 |
Multiple security issues were found in QEMU, a fast processor emulator, that could result in denial of service, information leak, or privilege escalation.
CVE-2023-3019
Use-after-free error in the e1000e NIC emulation.
CVE-2024-3447
Heap-based buffer overflow in SDHCI device emulation.
This update also removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user-static (and qemu-user-binfmt) packages, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.
In Debian 10 “buster”, the affected packages are qemu-user-static (and qemu-user-binfmt).
For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u13.
We recommend that you upgrade your qemu packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.