-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Aug 2025 23:27:17 +0300 Source: qemu Binary: qemu-system-data Architecture: all Version: 1:7.2+dfsg-7+deb12u15 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Michael Tokarev Description: qemu-system-data - QEMU full system emulation (data files) Changes: qemu (1:7.2+dfsg-7+deb12u15) bookworm-security; urgency=medium . * d/binfmt-install: stop using C (Credentials) flag for binfmt_misc registration. qemu-user binaries were never meant to be used in suid/sgid scenarios, but was used in debian since late 2009. Any foreign suid/sgid binary accessible to the users, in presence of qemu-user binfmt, is trivially exploitable to gain elevated privileges. This change might break existing setups since for many years people relied on qemu-user binfmt working with suid binaries, but this is a situation where it is definitely better be safe than sorry. Checksums-Sha1: a39e36dcfae177d157dd449d4177371f0988caec 1295548 qemu-system-data_7.2+dfsg-7+deb12u15_all.deb 9c46dc45e929390b085b4d44dba90b8618384b54 25423 qemu_7.2+dfsg-7+deb12u15_all-buildd.buildinfo Checksums-Sha256: b2a473b3ee78be58c492205c24633a234f3561c8c22a62a5f80c41d2c3bf54ee 1295548 qemu-system-data_7.2+dfsg-7+deb12u15_all.deb c83e8302b88136ba5b45011bd073a4326dad280bca4fce5b69247a89460d474f 25423 qemu_7.2+dfsg-7+deb12u15_all-buildd.buildinfo Files: c984821e4d37c37610373016e2d10319 1295548 otherosfs optional qemu-system-data_7.2+dfsg-7+deb12u15_all.deb 5b36ca714895fd9ca3107d5784d8f900 25423 otherosfs optional qemu_7.2+dfsg-7+deb12u15_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEj4Fym5GgeZdPqKhrJm69HxMTN+oFAmifn/gACgkQJm69HxMT N+qiSg//THmlg2Y9Inh1SO7/uAxr2QTZ30/K2s+19Sm+0uMHlI2MNQp87yfDMoeb 94HX91VS+sRcD1BPRK0ndA4XpZ7CZoNxWNKzyJ40pGiNpkjs9xPrZsDGpYNch8Vw miscv0fuQ+OS2cmCvLA7iBMc91jpiT20GHZGk6Bxv1HbjPpN2xdY3vIis8WbdEE4 mN2k7A2WOgP/Y5YNhXH7EHu+gdAfrZM1FxRLFbHZRsvA846gL1QIYPkX/j8FCxYa F0mUbbbwoGaSVnQMK84AGIenWeQ4u/bTPewq+QxrK7wz+JJPUls8bZj1E7Rred6R aMfrlDq5dkIzDlEcJKawRQGr81BSNK8dkKncD4HDRHku9pgYxpETIF+sLB55+6va g2GPZyzPH+iT4CvbWh/yq36n59BM3kkblKPBS/NxIdxEpwkR+X76twY0fJ+ynbrt B7HRCdt+k6BWqc9+pO3QR0FMXp+Pto1ZL8znbBaU0Ms/7nl7M8Zgv5qOcH8hx2I7 JQEtkKAM2iHrClwfqt8iLmoA55lG7XA96QR05N/8Cg0fuc7GPf904VhEEE+WASCE QlIKauHtvksrhIuH/7iqFRe7CAUBTH/kye3LliopkfcVuJo6qoKttybFqaKaDZ6p /mFHpbNo+fSQQu9mrb6f3FPWVzgh3f1itSBixgINmGyWp2wOuSw= =/WVM -----END PGP SIGNATURE-----