This update for qemu fixes the following issues:
Update to version 8.2.10.
Security issues fixed:
- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).
Other updates and bugfixes:
-
[openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too.
-
[openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286).
-
block/curl: fix curl internal handles handling (bsc#1252768).
-
[openSUSE][RPM]: spec: qemu-vgabios is required on ppc (bsc#1230042).
-
[roms] seabios: include "pciinit: don't misalign large BARs" (bsc#1246566).
-
[openSUSE][RPM] spec: Require ipxe and virtio-gpu packages for more arch-es (bsc#1240157).
-
[openSUSE][RPM]: disable LTO for userspace emulation on 15.6 (bsc#1243013).
-
Version 8.2.10 changes:
- Full changelog: https://lore.kernel.org/qemu-devel/7dd1fbc7-a58f-4b2c-82b9-735840246ab2@tls.msk.ru/
- Some backports:
- hw/misc/aspeed_hace: Fix buffer overflow in has_padding function
- target/ppc: Fix e200 duplicate SPRs
- linux-user/riscv: Fix handling of cpu mask in riscv_hwprobe syscall
- docs/about/emulation: Fix broken link
- vdpa: Allow vDPA to work on big-endian machine
- vdpa: Fix endian bugs in shadow virtqueue
- target/loongarch: Fix vldi inst
- target/arm: Simplify pstate_sm check in sve_access_check
- target/arm: Make DisasContext.{fp, sve}_access_checked tristate
- util/cacheflush: Make first DSB unconditional on aarch64
- ui/cocoa: Temporarily ignore annoying deprecated declaration warnings
- docs: Rename default-configs to configs
- block: Zero block driver state before reopening
- hw/xen/hvm: Fix Aarch64 typo
-...