CVE Request: qemu -runas does not clear supplementary groups

[Michael Tokarev <mjt () tls msk ru>]

There's a missing initgroups() call in qemu in the -runas
argument handling.  Details are available on

 https://bugs.launchpad.net/qemu/+bug/807893

in short, -runas is supposed to reduce privileges to a
bare minimum (after all initialization is completed),
but the process still has all the supplementary groups
which should be dropped too.

Can a CVE id be assigned for this issue?

Thanks,

/mjt