[Pkg-virtualbox-devel] Bug#741602: virtualbox: CVE-2014-0981 CVE-2014-0982 CVE-2014-0983
Felix Geyer
fgeyer at debian.org
Mon Apr 14 11:20:30 UTC 2014
Hi Moritz,
On 14.03.2014 13:11, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> please see
> http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities
Attached are tested debdiffs for squeeze- and wheezy-security.
Please let me know if I can upload them to security-master.
Cheers,
Felix
-------------- next part --------------
diff -u virtualbox-ose-3.2.10-dfsg/debian/changelog virtualbox-ose-3.2.10-dfsg/debian/changelog
--- virtualbox-ose-3.2.10-dfsg/debian/changelog
+++ virtualbox-ose-3.2.10-dfsg/debian/changelog
@@ -1,3 +1,12 @@
+virtualbox-ose (3.2.10-dfsg-1+squeeze3) squeeze-security; urgency=high
+
+ * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
+ - CVE-2014-0981, CVE-2014-0983
+ - Backport fixes from version 3.2.22 in debian/patches/CVE-2014-0981.patch
+ and debian/patches/CVE-2014-0983.patch
+
+ -- Felix Geyer <fgeyer at debian.org> Mon, 14 Apr 2014 11:33:29 +0200
+
virtualbox-ose (3.2.10-dfsg-1+squeeze2) squeeze-security; urgency=high
* Apply fixes from the January 2014 security advisory. (Closes: #735410)
diff -u virtualbox-ose-3.2.10-dfsg/debian/patches/series virtualbox-ose-3.2.10-dfsg/debian/patches/series
--- virtualbox-ose-3.2.10-dfsg/debian/patches/series
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/series
@@ -14,0 +15,2 @@
+CVE-2014-0981.patch
+CVE-2014-0983.patch
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0981.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0981.patch
@@ -0,0 +1,52 @@
+--- a/src/VBox/GuestHost/OpenGL/util/net.c
++++ b/src/VBox/GuestHost/OpenGL/util/net.c
+@@ -956,7 +956,7 @@
+ conn->InstantReclaim( conn, (CRMessage *) msg );
+ }
+
+-
++#ifdef IN_GUEST
+ /**
+ * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK
+ * message. Writeback is used to implement glGet*() functions.
+@@ -989,7 +989,7 @@
+ (*writeback)--;
+ crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len );
+ }
+-
++#endif
+
+ /**
+ * This is used by the SPUs that do packing (such as Pack, Tilesort and
+@@ -1067,13 +1067,21 @@
+ }
+ break;
+ case CR_MESSAGE_READ_PIXELS:
+- crError( "Can't handle read pixels" );
++ crWarning( "Can't handle read pixels" );
+ return;
+ case CR_MESSAGE_WRITEBACK:
++#ifdef IN_GUEST
+ crNetRecvWriteback( &(pRealMsg->writeback) );
++#else
++ crWarning("CR_MESSAGE_WRITEBACK not expected\n");
++#endif
+ return;
+ case CR_MESSAGE_READBACK:
++#ifdef IN_GUEST
+ crNetRecvReadback( &(pRealMsg->readback), len );
++#else
++ crWarning("CR_MESSAGE_READBACK not expected\n");
++#endif
+ return;
+ case CR_MESSAGE_CRUT:
+ /* nothing */
+@@ -1091,7 +1099,7 @@
+ {
+ char string[128];
+ crBytesToString( string, sizeof(string), msg, len );
+- crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
++ crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
+ "Did you add a new message type and forget to tell "
+ "crNetDefaultRecv() about it?\n",
+ msg->header.type, string );
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0983.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0983.patch
@@ -0,0 +1,69 @@
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
+@@ -46,6 +46,7 @@
+ for func_name in keys:
+ current = 0
+ array = ""
++ condition = ""
+ m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name )
+ if m :
+ current = 1
+@@ -68,6 +69,7 @@
+ name = "texCoord"
+ type = m.group(3) + m.group(2)
+ array = "[texture-GL_TEXTURE0_ARB]"
++ condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)"
+ m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name )
+ if m :
+ current = 1
+@@ -91,18 +93,23 @@
+ name = string.lower( m.group(1)[:1] ) + m.group(1)[1:]
+ type = m.group(3) + m.group(2)
+ array = "[index]"
++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+ if func_name == "VertexAttrib4NubARB":
+ current = 1
+ name = "vertexAttrib"
+ type = "ub4"
+ array = "[index]"
++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+
+ if current:
+ params = apiutil.Parameters(func_name)
+ print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) )
+ print '{'
+- print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
+- print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++ print '\t%s' % (condition)
++ print '\t{'
++ print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
++ print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++ print '\t}'
+ print '}\n'
+
+ print """
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
+@@ -92,7 +92,21 @@
+ rbid = (GLuint) *get_values;
+ *get_values = (%s) crStateRBOHWIDtoID(rbid);
+ }
+- """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
++ else if (GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS==pname)
++ {
++ if (CR_MAX_TEXTURE_UNITS < (GLuint)*get_values)
++ {
++ *get_values = (%s)CR_MAX_TEXTURE_UNITS;
++ }
++ }
++ else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname)
++ {
++ if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values)
++ {
++ *get_values = (%s)CR_MAX_VERTEX_ATTRIBS;
++ }
++ }
++ """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
+ print '\tcrServerReturnValue( get_values, tablesize );'
+ print '\tcrFree(get_values);'
+ print '}\n'
-------------- next part --------------
diff -Nru virtualbox-4.1.18-dfsg/debian/changelog virtualbox-4.1.18-dfsg/debian/changelog
--- virtualbox-4.1.18-dfsg/debian/changelog 2014-03-09 19:47:46.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/changelog 2014-04-14 11:24:39.000000000 +0200
@@ -1,3 +1,12 @@
+virtualbox (4.1.18-dfsg-2+deb7u3) wheezy-security; urgency=high
+
+ * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
+ - CVE-2014-0981, CVE-2014-0983
+ - Backport fixes from version 4.1.32 in debian/patches/CVE-2014-0981.patch
+ and debian/patches/CVE-2014-0983.patch
+
+ -- Felix Geyer <fgeyer at debian.org> Mon, 14 Apr 2014 11:19:01 +0200
+
virtualbox (4.1.18-dfsg-2+deb7u2) wheezy-security; urgency=high
* Apply fixes from the January 2014 security advisory. (Closes: #735410)
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch 1970-01-01 01:00:00.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch 2014-04-14 11:18:57.000000000 +0200
@@ -0,0 +1,53 @@
+diff -Nur VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c
+--- VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c 2014-01-10 17:21:21.000000000 +0100
++++ VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c 2014-03-14 08:18:19.000000000 +0100
+@@ -957,7 +957,7 @@
+ conn->InstantReclaim( conn, (CRMessage *) msg );
+ }
+
+-
++#ifdef IN_GUEST
+ /**
+ * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK
+ * message. Writeback is used to implement glGet*() functions.
+@@ -990,7 +990,7 @@
+ (*writeback)--;
+ crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len );
+ }
+-
++#endif
+
+ /**
+ * This is used by the SPUs that do packing (such as Pack, Tilesort and
+@@ -1068,13 +1068,21 @@
+ }
+ break;
+ case CR_MESSAGE_READ_PIXELS:
+- crError( "Can't handle read pixels" );
++ crWarning( "Can't handle read pixels" );
+ return;
+ case CR_MESSAGE_WRITEBACK:
++#ifdef IN_GUEST
+ crNetRecvWriteback( &(pRealMsg->writeback) );
++#else
++ crWarning("CR_MESSAGE_WRITEBACK not expected\n");
++#endif
+ return;
+ case CR_MESSAGE_READBACK:
++#ifdef IN_GUEST
+ crNetRecvReadback( &(pRealMsg->readback), len );
++#else
++ crWarning("CR_MESSAGE_READBACK not expected\n");
++#endif
+ return;
+ case CR_MESSAGE_CRUT:
+ /* nothing */
+@@ -1092,7 +1100,7 @@
+ {
+ char string[128];
+ crBytesToString( string, sizeof(string), msg, len );
+- crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
++ crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
+ "Did you add a new message type and forget to tell "
+ "crNetDefaultRecv() about it?\n",
+ msg->header.type, string );
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch 1970-01-01 01:00:00.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch 2014-04-14 11:18:29.000000000 +0200
@@ -0,0 +1,62 @@
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
+@@ -46,6 +46,7 @@
+ for func_name in keys:
+ current = 0
+ array = ""
++ condition = ""
+ m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name )
+ if m :
+ current = 1
+@@ -68,6 +69,7 @@
+ name = "texCoord"
+ type = m.group(3) + m.group(2)
+ array = "[texture-GL_TEXTURE0_ARB]"
++ condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)"
+ m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name )
+ if m :
+ current = 1
+@@ -91,18 +93,23 @@
+ name = string.lower( m.group(1)[:1] ) + m.group(1)[1:]
+ type = m.group(3) + m.group(2)
+ array = "[index]"
++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+ if func_name == "VertexAttrib4NubARB":
+ current = 1
+ name = "vertexAttrib"
+ type = "ub4"
+ array = "[index]"
++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+
+ if current:
+ params = apiutil.Parameters(func_name)
+ print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) )
+ print '{'
+- print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
+- print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++ print '\t%s' % (condition)
++ print '\t{'
++ print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
++ print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++ print '\t}'
+ print '}\n'
+
+ print """
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
+@@ -113,7 +113,14 @@
+ *get_values = (%s)CR_MAX_TEXTURE_UNITS;
+ }
+ }
+- """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
++ else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname)
++ {
++ if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values)
++ {
++ *get_values = (%s)CR_MAX_VERTEX_ATTRIBS;
++ }
++ }
++ """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
+ print '\tcrServerReturnValue( get_values, tablesize );'
+ print '\tcrFree(get_values);'
+ print '}\n'
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/series virtualbox-4.1.18-dfsg/debian/patches/series
--- virtualbox-4.1.18-dfsg/debian/patches/series 2014-01-28 21:12:08.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/series 2014-04-14 11:25:14.000000000 +0200
@@ -18,3 +18,5 @@
CVE-2013-0420.patch
37-wheezy-kernel-drm.patch
38-security-fixes-2014-01.patch
+CVE-2014-0981.patch
+CVE-2014-0983.patch
More information about the Pkg-virtualbox-devel
mailing list