1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109872: unblock: qemu/1:10.0.2+ds-2

    From Michael Tokarev@21:1/5 to All on Fri Jul 25 12:10:01 2025
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:qemu
    User: [email protected]
    Usertags: unblock

    Please unblock package qemu

    [ Reason ]
    This upload fixes two issues which are important to fix before
    the trixie release. It is the usage of future Static-Built-Using
    instead of Built-Using for qemu-user (#1106804) - trivial fix.
    And a use-after-free in qemu multi-threaded TCG mode (#1106792) -
    a fix which took quite significant amount of resources to track
    down, and affected multiple other packages in debian already.

    Both of these fixes definitely should go to trixie.

    There are two additional small fixes, - one is dropping a long-
    irrelevant alternative in build-deps (needed for buster-backports),
    and another is a simplification of too complex expression when
    auto-generating package descriptions - it does not affect the
    resulting packages, but makes this part of d/rules simpler.
    Both these 2 small changes are of very low risk.

    [ Impact ]
    Built-Using field for #1106804 - currently, qemu-user package does
    not meet the requiriments of the Debian Policy, so keeping it in
    this way for release isn't the right thing to do.

    The UAF fix for #1106792 - without it, qemu-system randomly crashes
    in various configs, which affects multiple software, especially when
    qemu is used for testing. It is also not the kind of issues we want
    to keep in a release.

    [ Tests ]
    The main fix in this release, #1106792, while changes one of the more
    important areas in qemu memory management, has been tested by multiple
    people in several configurations, and reviewed. I don't expect additional breakage from it.

    Additional automatic tests are run while I'm submitting this report,
    I'll reply to this bug report if anything fails. But I don't expect
    any new failures.

    [ Risks ]
    Again, the main change (the fix for #1106792) is the only one which might
    be risky. Hopefully we tested all interesting scenarious involving this
    code.

    Other changes are trivial and of very low risk.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock qemu/1:10.0.2+ds-1

    diff -Nru qemu-10.0.2+ds/debian/changelog qemu-10.0.2+ds/debian/changelog
    --- qemu-10.0.2+ds/debian/changelog 2025-05-29 10:13:25.000000000 +0300
    +++ qemu-10.0.2+ds/debian/changelog 2025-07-25 12:05:29.000000000 +0300
    @@ -1,3 +1,17 @@
    +qemu (1:10.0.2+ds-2) unstable; urgency=medium
    +
    + * d/control: switch from Static-Built-Using
    + back to Built-Using for qemu-user (Closes: #1106804)
    + * d/rules: simplify qemu:archlist variable generation
    + (does not change the resulting packages)
    + * d/control: drop build dependency alternative on python3-tomli,
    + which was needed for bpo builds before bookworm (Closes: #1105938)
    + * system-physmem-fix-use-after-free-with-dispatch.patch long-awaited
    + fix for UAF which was affected multiple other packages and was quite
    + difficult to track (Closes: #1106792)
    +
    + -- Michael Tokarev <[email protected]> Fri, 25 Jul 2025 12:05:29 +0300
    +
    qemu (1:10.0.2+ds-1) unstable; urgency=medium

    * new upstream stable/bugfix release:
    diff -Nru qemu-10.0.2+ds/debian/control qemu-10.0.2+ds/debian/control
    --- qemu-10.0.2+ds/deb