-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 Jun 2026 09:28:48 +0300 Source: qemu Architecture: source Version: 1:10.0.10+ds-0+deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org> Changed-By: Michael Tokarev <mjt@tls.msk.ru> Closes: 1085299 1128478 1129349 1129604 1129605 Changes: qemu (1:10.0.10+ds-0+deb13u1) trixie; urgency=medium . * 10.0.10 upstream stable/bugfix release: - Update version for 10.0.10 release - block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock() - block: Add more defaults to DEFAULT_BLOCK_CONF - block: Create DEFAULT_BLOCK_CONF macro - ide-test: Test reset during TRIM - ide-test: Factor out wait_dma_completion() - ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code - ide: Minimal fix for deadlock between TRIM and drain - block: Add flags parameter to blk_*_pdiscard() - block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE - blkdebug: Add 'delay-ns' option - linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern - linux-user/sh4: Fix target_ucontext tuc_link field type - linux-user: Fix AT_EXECFN in AUXV for symlinked programs - hw/nvme: fix admin cq msix setup - tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist - meson.build: Add -fzero-init-padding-bits=all - hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[] - aspeed/hace: Prevent total_req_len overflow - aspeed/hace: Fix out-of-bounds read in has_padding() - hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies - hw/display/cirrus_vga: Fix packed-24 color-expansion transparent pattern fills - hw/ufs: Keep MCQ SQs alive while requests are outstanding - hw/ufs: Reject zero-depth MCQ queues - hw/ufs: Guard MCQ CQ accesses against missing queues - hw/ufs: Validate MCQ SQ references before use - hw/uefi: check auth.hdr_length minimum size (Closes: CVE-2026-8341) - hw/uefi: avoid possibly unaligned variable_auth_2 struct field access (Closes: CVE-2026-41440) - hw/uefi: verify data size before accessing it in wrap_pkcs7 (Closes: CVE-2026-41439) - hw/uefi: add name_size check to uefi_vars_mm_lock_variable() (Closes: CVE-2026-41438) - hw/uefi: fix ucs2 string helper functions (Closes: CVE-2026-41437) - hw/uefi: verify pio_xfer_offset before calculating buffer checksum (Closes: CVE-2026-41436) - hw/uefi: fix buffer overruns (Closes: CVE-2026-41435) - hw/misc/bcm2835_rng: Specify valid memory access sizes - target/arm: Report IL=0 for Thumb 16-bit BKPT insn - target/microblaze: Fix endianness used to disassemble - hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7 - hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled - hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node - hw/ppc/e500: Move clock and TB frequency to machine class - tests/rcutorture: Fix build error - hw/intc/xics: Add a check for an invalid server id - linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR - linux-user: Allow getsockopt() with NULL optval address - linux-user: Flush errors by using exit() instead of _exit() in error path - linux-user: Add missing CDROM ioctls - target/riscv: Use ELEN for Fractional LMUL check - target/riscv: Don't OR mip.SEIP when mvien is one - target/riscv: Generate access fault if sc comparison fails - riscv_htif: reject invalid signature ranges (end <= begin) - hw/intc: fix heap OOB in ACLINT MTIMER multi-socket - target/riscv: fix stale ptshift and base on page walk restart - hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled - linux-user: Flush errors by using exit() instead of _exit() in error path - linux-user: Use abi_int for imr_ifindex in ip_mreqn struct - linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone - linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW - linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW - linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW - linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands - linux-user/strace: Use pointer type for read and write values - linux-user/arm/nwfpe: Use thread-local storage for qemufpa - linux-user/arm/nwfpe: Replace user_registers with current_cpu - linux-user: Don't define target_stat64 struct for loongarch64 - linux-user: fix off-by-one in host_to_target_for_each_rtattr() - linux-user/ppc: Fix ppc64 rt_sigframe stack offset - hw/sh4/sh7750: Remove forgotten abort() in the MM_ITLB_DATA handler - hw/misc: Fix the valid access size to the avr-power device - migration: vmstate_save_state_v: fix double error_setg - hw/display: don't accidentally autofree existing virgl resources (Closes: CVE-2026-6502) - meson: add missing semicolon in pthread_condattr_setclock test - target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode - target/i386: fix missing PF_INSTR in SIGSEGV context - target/i386: fix strList leak in x86_cpu_get_unavailable_features - target/arm/tcg/translate.c: remove MO_TE usage - ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen) - ui/spice-app: detect runtime directory creation failures - serial COM: windows serial COM PollingFunc don't sleep - util/cutils: Fix heap corruption under Windows - virtio-blk: fix zone report buffer out-of-memory (Closes: CVE-2026-5761) - qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config - hw/uefi: fix heap overflow (Closes: CVE-2026-5744) - virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (Closes: CVE-2026-5763) - util/readline: Fix out-of-bounds access in readline_insert_char() - target/arm: fix fault_s1ns for stage 2 faults - target/arm: do_ats_write(): avoid assertion when ptw failed - bsd-user, linux-user: signal: recursive signal delivery fix - linux-user: Make openat2() use -L for absolute paths - linux-user: update select timeout writeback - linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set - util: fix missing aio_wait sym in qemu guest agent only build - monitor: Fix deadlock in monitor_cleanup - scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable - ide: Fix potential assertion failure on VM stop for PIO read error - ui/vnc-jobs: fix VncRectEntry leak on job cleanup - hw/net/rocker: Avoid double-free of l2_flood.group_ids - lsi53c895a: keep SCSIRequest alive during DMA - lsi53c895a: keep lsi_request alive as long as the SCSIRequest - lsi53c895a: keep lsi_request and SCSIRequest in local variables - lsi53c895a: do not do anything else if a reset is requested by writing ISTAT0 - lsi53c895a: keep a reference to the device while SCRIPTS execute (Closes: #1085299, CVE-2024-6519) - scripts/qemu-guest-agent/fsfreeze-hook: Fix syslog-fallback logic - scripts/qemu-guest-agent/fsfreeze-hook: Avoid use of PIPESTATUS - scripts/qemu-guest-agent/fsfreeze-hook: Avoid bash-isms - hw/nvme: fix heap-buffer-overflow in nvme_abort - hw/nvme: re-enable wzds bit in namespace dlfeat - tcg: Pass host-endian values to plugin_gen_mem_callbacks_* - hw/audio/sb16: validate VMState fields in post_load - block/curl: free s->password in cleanup paths - linux-aio: Resubmit tails of short reads/writes - linux-aio: Put all parameters into qemu_laiocb - hw/dma/pl080: Fix transfer logic in PL080 - linux-user/i386/signal.c: Correct definition of target_fpstate_32 - hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs for error handling - hw/net/ftgmac100: Improve DMA error handling - hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop (Closes: CVE-2026-3890) - rust: suggest passing --locked to "cargo install" - target/riscv: rvv: Fix page probe issues in vext_ldff - target/riscv: rvv: Fix missing flags merge in probe_pages for cross-page accesses - Expand the probe_pages helper function to handle probe flags - block: Drop detach_subchain for bdrv_replace_node - virtio-gpu: fix overflow check when allocating 2d image (Closes: CVE-2026-3886) - io: Fix TLS bye task leak - ppc/pnv: generate dtb after machine initialization is complete - ppc/pnv: fix dumpdtb option - block/mirror: fix assertion failure upon duplicate complete for job using 'replaces' - throttle-group: Fix race condition in throttle_group_restart_queue() - target/i386: fix NULL pointer dereference in legacy-cache=off handling - hw/dma/pl080: Ignore bottom 2 bits of LLI register - hw/dma/pl080: Update interrupts after pl080_run() - hw/dma/pl080: Handle bogus swidth and dwidth in transfers - linux-user: fix mremap with old_size=0 for shared mappings - linux-user: Fix zero_bss for RX PT_LOAD segments - hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug . * 10.0.9 stable/bugfix release: - Update version for 10.0.9 release - hyperv/syndbg: check length returned by cpu_physical_memory_map() (Closes: CVE-2026-3842) - fuse: Copy write buffer content before polling - target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch - target/loongarch: Preserve PTE permission bits in LDPTE - hw/net/npcm_gmac: Catch accesses off the end of the register array - linux-user: fix TIOCGSID ioctl - tests/tcg/multiarch/test-mmap: Check mmaps beyond reserved_va - bsd-user: Deal with mmap where start > reserved_va - linux-user: Deal with mmap where start > reserved_va - hw/net/xilinx_ethlite: Check for oversized TX packets - virtio-gpu: Ensure BHs are invoked only from main-loop thread - block/nfs: Do not enter coroutine from CB - block: Never drop BLOCK_IO_ERROR with action=stop for rate limiting - block/throttle-groups: fix deadlock with iolimits and muliple iothreads - mirror: Fix missed dirty bitmap writes during startup (Closes: #1129349) - block/curl: fix concurrent completion handling - block/vmdk: fix OOB read in vmdk_read_extent() (Closes: #1128478, CVE-2026-2243) - hw/net/smc91c111: Don't allow negative-length packets - io: fix cleanup for websock I/O source data on cancellation - io: fix cleanup for TLS I/O source data on cancellation - io: separate freeing of tasks from marking them as complete - target/i386/hvf/x86_mmu: Fix compiler warning - hw/i386/vmmouse: Fix hypercall clobbers - tests/docker: upgrade most non-lcitool debian tests to debian 13 - hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat for fs synth driver - hw/9pfs: fix data race in v9fs_mark_fids_unreclaim() - target/arm: set the correct TI bits for WFIT traps - hw/ssi/xilinx_spips: Reset TX FIFO in reset - hw/misc/virt_ctrl: Fix incorrect trace event in read operation - virtio-snd: tighten read amount in in_cb (Closes: #1129604, CVE-2026-3195) - virtio-snd: fix max_size bounds check in input cb (Closes: #1129604, CVE-2026-3195) - virtio-snd: handle 5.14.6.2 for PCM_INFO properly (Closes: #1129605, CVE-2026-3196) - virtio-snd: remove TODO comments - virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type (was in virtio-gpu-virgl-Add-virtio-gpu-virgl-hostmem-region.patch) - target/arm: Fix feature check in DO_SVE2_RRX, DO_SVE2_RRX_TB - target/arm: Account for SME in aarch64_sve_narrow_vq() assertion - target/arm: Introduce ARMCPU.sme_max_vq - hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers - docs/about/emulation: Add documentation for hotblocks plugin arguments - contrib/plugins/hotblocks: Print uint64_t with PRIu64 rather than PRId64 - contrib/plugins/hotblocks: Fix off by one error in iteration of sorted blocks - contrib/plugins/hotblocks: Correctly free sorted counts list - contrib/plugins: Fix type conflict of GLib function pointers - python: drop uses of pkg_resources - plugins: fix cross-build using LLVM for Windows targets - s390x/pci: Fix endianness for zPCI BAR values Checksums-Sha1: 6d489125e6cf4c2fd5ee94506bae5b6b6b77c0d2 12560 qemu_10.0.10+ds-0+deb13u1.dsc fed5a9ddccdf09002a8f26dc442936c6e4b7d09a 39979984 qemu_10.0.10+ds.orig.tar.xz 8ccd8eedcdbed7af6bd49da1f7dec25c05a4826e 148364 qemu_10.0.10+ds-0+deb13u1.debian.tar.xz 41e9f20c4e82591fc5c869c8cdbaffdfa56c5397 8302 qemu_10.0.10+ds-0+deb13u1_source.buildinfo Checksums-Sha256: 0a3a55cf1c9ab05709708abacc79a50309dbe5f9c711e0d40dd4bf5220d3ae7a 12560 qemu_10.0.10+ds-0+deb13u1.dsc fdf3f4dd475cd7771db0407556cd98b3adcdc0a3a0cba1b5b93b320f3d1a135e 39979984 qemu_10.0.10+ds.orig.tar.xz 9f6ab62c7f079e62571ebffada243c95ca042b56a9535e90508bf76fff116c24 148364 qemu_10.0.10+ds-0+deb13u1.debian.tar.xz d083764143a64b95aaa9cf9b78e63d09e4608d182c8dcf4132e0cc025c7f2e20 8302 qemu_10.0.10+ds-0+deb13u1_source.buildinfo Files: 7ac7978c2eb405bbae7ca645bb0c3dd8 12560 otherosfs optional qemu_10.0.10+ds-0+deb13u1.dsc 77d77a340cd841ad86bdbfc481ca5a4e 39979984 otherosfs optional qemu_10.0.10+ds.orig.tar.xz 9f693854cde70a1ca83283207371117b 148364 otherosfs optional qemu_10.0.10+ds-0+deb13u1.debian.tar.xz 29bf446853b3e68c7ccf40025a64eacf 8302 otherosfs optional qemu_10.0.10+ds-0+deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- wsG7BAEBCgBvBYJqKldWCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcQ1YAfzOvxi3ZrsY2/KfmwaggbYPLTkKrHt/UDt4BZ SxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAClBhAAxARDk60LxvR5RWSKy5LhNvqY aUOuQ0dfLqjfjZfiZ5Je/geIlPAooI0PvJASmk/F9/o+7Jdwlpkuawo44ue6LtXN iduH/Qx6dC8iFHJKtGgdz2eqelSbh2gNpFXDoryirVvOwOy0NlHULjSgP0jA3ua4 6NI/csXCJIUjQ0dd6i07TsuZV+mfCIkuWcWega7FWr96sbzud/bsUMSf8pmx0b12 FrmX3RVHvJUeD8ID/pd8YSQUMrVW5RrQHRZFivfcCvVthWcL/1rr37N41L+GGW87 z+WEzXvYztN8P4EVsLC53Yo+LEiKV2DNXwTZgKDnB56Si8yFMqpdov+6lT+IG4MP oLB7o2jjBNgg2uX7vUCk3DIu2XgCz+mjTiUXXhcuR4mfTBDuqF1wBsNJwOBfQSfV jE8njKzRU78MFobLpoakVe1JoKVAdnoBTTOngfa0V5LXavTUouyxqYKEJbcIydSV 6xJP3alYNoBV3cOp3pYXrHiOB8NiA2iQTjAGG+BKgm0Bm6wJFtSU7jVojt581VrI +3lXeq5sFZhut06rp3ZXGBcfe0QuSfpqCX0e0pv5OAeYOZr+KeIwIAUN4vTIegFD CaOraGjTHPR7tgHrIPJ2w1+9EhSwZ/rmy9wkSGP/CiATq5R6eWFuzMKsIS4u/LDQ QRF4pU0mu10oTzihdr8= =3cRM -----END PGP SIGNATURE-----