We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 28 Jun 2026 08:03:05 +0300
Source: qemu
Architecture: source
Version: 1:11.0.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1139923
Changes:
qemu (1:11.0.2+ds-1) unstable; urgency=medium
.
[ Michael Tokarev ]
* new upstream stable/bugfix release:
- Update version for 11.0.2 release
- linux-user: Fix AT_PHDR when program headers are relocated
into their own segment
- hw/pci: Replace assert with bounds check and return
- ppc/pnv_phb3: Error out on invalid config access
- linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn
- linux-user/xtensa: save/restore FP registers across signal delivery
- target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status
- target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
- ui/sdl2: Set GL ES profile before creating initial GL context
- ui/sdl2: Explicitly specify EGL platform
- hw/9pfs: reject . and .. in Twstat rename
- hw/9pfs: fix abort due to illegal name with Twstat rename
- gdbstub: Update x86 control register bits
- target/i386: apply mod to immediate count of an RCL/RCR operation
- hw/uefi: fix parse_hexstr
(Closes: CVE-2026-48915)
- target/riscv: mask vxrm csrw write to the low 2 bits
- disas/riscv.c: fix inst_length()
- target/riscv/tcg: disable svnapot if satp_mode < sv39
- target/riscv/cpu_helper.c: add PMA access fault
- target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val
- target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers
- disas/riscv.c: add 'cbo' insns to disassembler
- target/riscv/csr.c: fix mstatus.UXL reserved value
- target/riscv/csr.c: do not allow mstatus MPV/GVA writes
- target/riscv/tcg: disable svpbmt if satp_mode < sv39
- target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault
- virtio: Allow to fill a whole virtqueue in order
- amd_iommu: Reject non-decreasing NextLevel in fetch_pte()
- amd_iommu: Follow root pointer before page walk and use 1-based levels
- libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
(Closes: CVE-2026-6425)
- libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
(Closes: CVE-2026-6425)
- tests/qtest: Add amd-iommu command buffer head wrap test
- amd_iommu: Update command buffer head ptr in MMIO region after wraparound
- amd_iommu: restrict command buffer head/tail ranges to ring size
- linux-user: add preadv2/preadv2
- system/rtc: Fix a possible year-2038 integer overflow problem
- linux-user/strace: add fsmount series of syscalls
- linux-user: implement fsmount(2) series of syscalls
- fpu: Handle all rounding modes in partsN_uncanon_normal
- hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet
- qed: Don't try to flush during incoming migration
- iotests: test shared mmap for fuse export
- block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression
- block/export/fuse: use struct fuse_init_in
- qcow2: Fix data loss on zero write with detect-zeroes=unmap
- iotests/046: Test that discard/write_zeroes wait for dependencies
- qcow2: Fix corruption on discard during write with COW
- qemu-io: Add 'aio_discard' command
- virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
(Closes: #1139923, CVE-2026-48914)
- block/io: fallback to bounce buffer if BLKZEROOUT is not supported
because of alignment
- hw/i3c: fix CMD/data FIFO depth reset values to match real silicon
- s390x/pci: Fix interrupt forwarding disable for interpreted devices
- target/s390x: Make container ids in SysIB_15x 1-based
- lcitool: remove Cirrus CI support
- gitlab: remove x64-freebsd-14-build Cirrus job
- gitlab: add initial MacOS 15 on gitlab runner
- ci: drop cirrus MacOS build
- tests/unit: add test-envlist covering setenv/unsetenv name matching
- util/envlist: fix prefix-match in envlist_unsetenv() name lookup
- 9pfs: fix missing rename lock in v9fs_co_readdir_many
(Closes: CVE-2026-48004)
- tests/9pfs: add deep absolute path test
- tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
- hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path()
handle errors
- hw/9pfs: add error handling to v9fs_fix_path()
- hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf()
return type
- hw/9pfs: add NULL check in v9fs_path_is_ancestor()
- linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
- linux-user/sh4: restore FP rounding mode on sigreturn
- linux-user/sh4: preserve T/M/Q bits across signal delivery
- linux-user/mips: save/restore FCSR across signal delivery
- linux-user/ppc: restore fp_status from FPSCR on sigreturn
- hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
- hw/net/rocker_of_dpa: Check group ID pointers are not NULL
- target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
- target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
- target/arm: Enable REVD for SVE2.1
- vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
- vfio-user: reject zero migration page size capability
- vfio-user: reject zero DMA page size capability
- target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1
- target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs
- target/arm: SVE2 FMAXP, FMINP must honour AH=1
- block/linux-aio: bound ioq_submit() recursion depth
- mc146818rtc: Fix get_guest_rtc_ns() overflow bug
- apic: fix delivery bitmask with modified xAPIC ids
- lsi53c895a: clear tag byte when processing messages
- lsi53c895a: fix use-after-free of cancelled request
- ui: fix validation of VNC extended clipboard data length
(Closes: CVE-2026-8343)
- ui/vnc: fix OOB read updating VNC update frequency stats
(Closes: CVE-2026-48003)
- ui/vnc: fix OOB write in lossy rect worker code
(Closes: CVE-2026-48002)
- ui/vnc: fix OOB write in VNC stats array
(Closes: CVE-2026-48002)
- ui/vnc: fix OOB read access in VNC SASL mechname array
- linux-user/mips64: fix mipsn32 elf_core_copy_regs entry width
- linux-user/mips64: fix elf_core_copy_regs register layout in core files
- target/riscv: Make hpmcounterh return the upper 32-bits
- target/riscv/csr.c: fix read of pmpaddr(0-63) CSRs
- target/riscv: clear mseccfg on reset for all dependent extensions
- target/riscv: Update the local interrupt mask
- target/riscv: Add mseccfg to VMStateDescription
- target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation
- target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL
- hw/char: Check interrupt after txctrl register is written
- target/riscv: rvv: Handle source overlap of vector widening reduction
instructions
- target/riscv: Allow mseccfg access based on ext_zicfilp
- hw/riscv/riscv-iommu: Fix Svnapot 64KB pages
- target/riscv: Update MISA.X for non-standard extensions
- target/riscv: Update MISA.C for Zc* extensions
- crypto: fix client side anonymous TLS credentials
* tcg-loongarch64-Fix-cmp_vec-with-TCG_COND_NE.patch
.
[ Miao Wang ]
* tests/test-qemu-user.sh: also test qemu-loong64
* tests/test-qemu-user.sh: skip armhf when page size is large than 4K
Checksums-Sha1:
173359d911e5560b89a5b959a36b64fda788197d 10043 qemu_11.0.2+ds-1.dsc
7b83162c237941bcdfbb3631de732e69ad19d685 38818356 qemu_11.0.2+ds.orig.tar.xz
b6786db584c5fcaa3345f2ed9ea76e1f5fa998e7 129480 qemu_11.0.2+ds-1.debian.tar.xz
c35ed23298262edd4a31a550a72497f8aa281459 8327 qemu_11.0.2+ds-1_source.buildinfo
Checksums-Sha256:
eb43364cb7f89d3275432f64f7574e90194c19e9200a4420361d146e8edab2ea 10043 qemu_11.0.2+ds-1.dsc
1ebd5dabcf4f279a3a9a0a29fe9c068239cff0c2c1f0f0af222e6d7bc8f59a56 38818356 qemu_11.0.2+ds.orig.tar.xz
0ee92e89d5255b640e7f3a72d98061ac62d81043a9dad4032389f6c3edb44269 129480 qemu_11.0.2+ds-1.debian.tar.xz
6e23b69069f2a2d3436b1e6a4d8baab2730a938075ab0630e8bccebfb4c1dfbd 8327 qemu_11.0.2+ds-1_source.buildinfo
Files:
8b266cba6b0b59b5d7800fc6c36ce195 10043 otherosfs optional qemu_11.0.2+ds-1.dsc
bc7b9483bf1471ff926a87ec071552d1 38818356 otherosfs optional qemu_11.0.2+ds.orig.tar.xz
addad74df591d5693142919c66b89a4b 129480 otherosfs optional qemu_11.0.2+ds-1.debian.tar.xz
72634a886e5743768d303aba32a6c4ca 8327 otherosfs optional qemu_11.0.2+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqQKw/CRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfkHQpZwUWhar7QXvwVjnYEyEkRP+6yDZra3eptSqdI
sxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAACkBAAj+psYgB+aNSlxPADmzw7B/tV
B7orrlTQUWO45BOaXszSADOCTM611SsbQnRstiYt9T2wByF+Zbi4RSOupKF7ka/B
VwEke8vt0McMMm7dtpxZ5WASXlyl5DJtf0yDaHei75rzs7HPWMaOvm1M1Rv2VFda
zGdrBWflB5urCGntFPSNkhWEmfEgpOU/2Q6rSTCaJbkkwy4qd9tVkmKycjrPTFCI
9hmlx7vEcpSXqSu5+PFM7suQYWyuGuP4GafHdF0bGuKMzQT4Ph0bfe5m7KlB8uw9
k4/YMCcVkaAfKJIv+am9w6Pmmv0qSYcD1AWIweQxQlChPLJk2+rrPLN6+FkOKxKI
+Gh2yoEHqwHa8BkuFn79K6knICn9sPqIxwME/F0xgOF7PDHzXnxvwyObtAL5AqpN
F1wYYPjjNeP/b6zEZBYDmMM0RtwL4TZFFKU5lQv0Y78Qw59rhF0XFOc9Y1RcjBaj
CedDzSVN8c5S//mCxz0s7PKxVRRF6sruRVuX4rKnbv/wtABPEcxt2Am6XYKWfLxM
X+/EvQe1H4NExUL05+HhrWYP3HCuuYg0TrOTpnRy/uxBUYGXuSAEdmrsDR0aXPWj
h/TzfXEXYglDwSR+mmcSkqzSbEclWG1gXGtWTzdEWHN9xJZn0hOjikgQtjEHzLAQ
UH9S6GDctiQp5klOmLo=
=6EwQ
-----END PGP SIGNATURE-----