Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201001-04 ] VirtualBox: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1547

PostPosted: Wed Jan 13, 2010 10:26 pm    Post subject: [ GLSA 201001-04 ] VirtualBox: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: VirtualBox: Multiple vulnerabilities (GLSA 201001-04)
Severity: normal
Exploitable: local
Date: January 13, 2010
Bug(s): #288836, #294678
ID: 201001-04

Synopsis


Multiple vulnerabilities in VirtualBox were found, the worst of which
allowing for privilege escalation.


Background


The VirtualBox family provides powerful x86 virtualization products.


Affected Packages

Package: app-emulation/virtualbox-bin
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures

Package: app-emulation/virtualbox-ose
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures

Package: app-emulation/virtualbox-guest-additions
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures

Package: app-emulation/virtualbox-ose-additions
Vulnerable: < 3.0.12
Unaffected: >= 3.0.12
Architectures: All supported architectures


Description


Thomas Biege of SUSE discovered multiple vulnerabilities:
  • A shell metacharacter injection in popen() (CVE-2009-3692) and
    a possible buffer overflow in strncpy() in the VBoxNetAdpCtl
    configuration tool.
  • An unspecified vulnerability in VirtualBox
    Guest Additions (CVE-2009-3940).


Impact


A local, unprivileged attacker with the permission to run VirtualBox
could gain root privileges. A guest OS local user could cause a Denial
of Service (memory consumption) on the guest OS via unknown vectors.


Workaround


There is no known workaround at this time.


Resolution


All users of the binary version of VirtualBox should upgrade to the
latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-bin-3.0.12"

All users of the Open Source version of VirtualBox should upgrade to
the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-3.0.12"

All users of the binary VirtualBox Guest Additions should upgrade to
the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-guest-additions-3.0.12"

All users of the Open Source VirtualBox Guest Additions should upgrade
to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-additions-3.0.12"


References

CVE-2009-3692
CVE-2009-3940
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum