[Pkg-virtualbox-devel] Bug#690777: Bug#690777: virtualbox: CVE-2012-3221

[Frank Mehnert]

On Wednesday 17 October 2012 15:20:58 Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Oracle fixed an unspecified security issue in their latest Patch Update:
> http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
> 
> CVE-2012-3221	Oracle VM Virtual Box	None	VirtualBox
> Core		No	2.1	Local	Low	None	None	None  Partial+  3.2, 4.0, 4.1
> 
> Please get in touch with upstream and ask them for a fix.

The problem was fixed by this changeset:

https://www.virtualbox.org/changeset/43068/vbox

The fix is part of VirtualBox 4.1.22 and 4.2.0. Distributions which
provide an older package need probably an update but the changeset
should apply cleanly.

The complete investigation is described here:

http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20121017/f98ef0ab/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20121017/f98ef0ab/attachment-0003.pgp>