GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jan 13, 2010 10:26 pm Post subject: [ GLSA 201001-04 ] VirtualBox: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: VirtualBox: Multiple vulnerabilities (GLSA 201001-04)
Severity: normal
Exploitable: local
Date: January 13, 2010
Bug(s): #288836, #294678
ID: 201001-04
Synopsis
Multiple vulnerabilities in VirtualBox were found, the worst of which
allowing for privilege escalation.
Background
The VirtualBox family provides powerful x86 virtualization products.
Affected Packages
Package: app-emulation/virtualbox-bin
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures
Package: app-emulation/virtualbox-ose
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures
Package: app-emulation/virtualbox-guest-additions
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures
Package: app-emulation/virtualbox-ose-additions
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures
Description
Thomas Biege of SUSE discovered multiple vulnerabilities:
- A shell metacharacter injection in popen() (CVE-2009-3692) and
a possible buffer overflow in strncpy() in the VBoxNetAdpCtl
configuration tool. - An unspecified vulnerability in VirtualBox
Guest Additions (CVE-2009-3940).
Impact
A local, unprivileged attacker with the permission to run VirtualBox
could gain root privileges. A guest OS local user could cause a Denial
of Service (memory consumption) on the guest OS via unknown vectors.
Workaround
There is no known workaround at this time.
Resolution
All users of the binary version of VirtualBox should upgrade to the
latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-bin-3.0.12" |
All users of the Open Source version of VirtualBox should upgrade to
the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-3.0.12" |
All users of the binary VirtualBox Guest Additions should upgrade to
the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-guest-additions-3.0.12" |
All users of the Open Source VirtualBox Guest Additions should upgrade
to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-additions-3.0.12" |
References
CVE-2009-3692
CVE-2009-3940 |
|