-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Aug 2025 23:27:17 +0300 Source: qemu Architecture: source Version: 1:7.2+dfsg-7+deb12u15 Distribution: bookworm-security Urgency: medium Maintainer: Debian QEMU Team Changed-By: Michael Tokarev Changes: qemu (1:7.2+dfsg-7+deb12u15) bookworm-security; urgency=medium . * d/binfmt-install: stop using C (Credentials) flag for binfmt_misc registration. qemu-user binaries were never meant to be used in suid/sgid scenarios, but was used in debian since late 2009. Any foreign suid/sgid binary accessible to the users, in presence of qemu-user binfmt, is trivially exploitable to gain elevated privileges. This change might break existing setups since for many years people relied on qemu-user binfmt working with suid binaries, but this is a situation where it is definitely better be safe than sorry. Checksums-Sha1: e0eab422f12a852146c4f3c4406c2587c4705f22 6811 qemu_7.2+dfsg-7+deb12u15.dsc 6ea9655c72a2f21ed0d301479e11194c84978514 23523172 qemu_7.2+dfsg.orig.tar.xz 5600aa0d61b53256190e83b7a57621db0e884342 376508 qemu_7.2+dfsg-7+deb12u15.debian.tar.xz 276fbbc25e704421a493989d8d5ced91f702254a 16721 qemu_7.2+dfsg-7+deb12u15_source.buildinfo Checksums-Sha256: b5aa6d140a2138cc46a7e873552d351d9513c38f91e447bba44b1e300016e1d2 6811 qemu_7.2+dfsg-7+deb12u15.dsc 91aca71520040edc40b8d437aa3004dae614f58e286cf653ee8996c07af2962f 23523172 qemu_7.2+dfsg.orig.tar.xz 8fda07872ce40af2b952d00b11eb03e4c45cf5604a3a6521f608457ead8e5703 376508 qemu_7.2+dfsg-7+deb12u15.debian.tar.xz 407d0436eeeca76a8c94e4112b497c2119316c7e1962d4f7922047bcd1492c83 16721 qemu_7.2+dfsg-7+deb12u15_source.buildinfo Files: deac6b4327abaaf1de8718cab4d7d9d7 6811 otherosfs optional qemu_7.2+dfsg-7+deb12u15.dsc 865ae004abc45245029b6812734365c8 23523172 otherosfs optional qemu_7.2+dfsg.orig.tar.xz 4518ab09e2c88a81dcabaf0cbb1ba442 376508 otherosfs optional qemu_7.2+dfsg-7+deb12u15.debian.tar.xz 13cdb175edff4bf1e1ca476257351a8e 16721 otherosfs optional qemu_7.2+dfsg-7+deb12u15_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmifmUAACgkQgqpKJDse lHgTaA//SXR+Cd7ZhSQUL0KnylzJaDI42YNghdXESdCm3711YvKEIGw5jBqREURq s2DjjiYh86djCrfm5XKtx0+wPOfHyOIqCFdpqFV2c+3QN7F7Nt94Fv4rdDouUHcm NoTN8nze6EU/FZ8FsHgl2ctA+Y8dYZ+pvJSwkWjfYzXUZ78rxXPuYTCwcQfA/3VY z3N4i0MdLlGI97Fnr16fhJ+F08VY1auYZy/EYvSvNRjEAhivj6bRNk5x4rAK+0L3 q3xHFcJ69Lt88doEObdSYWd/oIXdF5Gy3Z76N4wJ6t2iLM9KYOG4ZOE0Dz/taNdE 6BmYfAXwYdRaTOVFPysd6ngpQV80lxYioHP3SqWZCWc/kRqOA/BJBtnWKUsy69LO 4aOTystiNR2HponlFlOPxB026n/8R4pCk/yq/lFYoKJizlBAwzuti2px/LK5qsuM zceQwX6PNMRA9Gq/nrJXDlKSk927guoSZA/2u8o3tpgcz7sBxxaJqVJnMF+Ncxe3 vt89aav+PlKOEl3IPywU0wbHS6UvtNo2xfKn7gEfQffAk+8S3zV3U9hNbzFuAHjy qQ23wY9U3Dgx4YhPGV7Gchjwtn3/akAxdEpYnwjL1Zvzk0FU46HmU413tDmdlRV7 FqsdqY5FkK0C6jqjyLD2FqG1lNyXnSJnl80t9VgnOUs3+hDNtP8= =3yI8 -----END PGP SIGNATURE-----