[Pkg-virtualbox-devel] Bug#741602: virtualbox: CVE-2014-0981 CVE-2014-0982 CVE-2014-0983

Felix Geyer fgeyer at debian.org
Mon Apr 14 11:20:30 UTC 2014


Hi Moritz,

On 14.03.2014 13:11, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> please see 
> http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities

Attached are tested debdiffs for squeeze- and wheezy-security.
Please let me know if I can upload them to security-master.

Cheers,
Felix
-------------- next part --------------
diff -u virtualbox-ose-3.2.10-dfsg/debian/changelog virtualbox-ose-3.2.10-dfsg/debian/changelog
--- virtualbox-ose-3.2.10-dfsg/debian/changelog
+++ virtualbox-ose-3.2.10-dfsg/debian/changelog
@@ -1,3 +1,12 @@
+virtualbox-ose (3.2.10-dfsg-1+squeeze3) squeeze-security; urgency=high
+
+  * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
+    - CVE-2014-0981, CVE-2014-0983
+    - Backport fixes from version 3.2.22 in debian/patches/CVE-2014-0981.patch
+      and debian/patches/CVE-2014-0983.patch
+
+ -- Felix Geyer <fgeyer at debian.org>  Mon, 14 Apr 2014 11:33:29 +0200
+
 virtualbox-ose (3.2.10-dfsg-1+squeeze2) squeeze-security; urgency=high
 
   * Apply fixes from the January 2014 security advisory. (Closes: #735410)
diff -u virtualbox-ose-3.2.10-dfsg/debian/patches/series virtualbox-ose-3.2.10-dfsg/debian/patches/series
--- virtualbox-ose-3.2.10-dfsg/debian/patches/series
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/series
@@ -14,0 +15,2 @@
+CVE-2014-0981.patch
+CVE-2014-0983.patch
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0981.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0981.patch
@@ -0,0 +1,52 @@
+--- a/src/VBox/GuestHost/OpenGL/util/net.c
++++ b/src/VBox/GuestHost/OpenGL/util/net.c
+@@ -956,7 +956,7 @@
+     conn->InstantReclaim( conn, (CRMessage *) msg );
+ }
+ 
+-
++#ifdef IN_GUEST
+ /**
+  * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK
+  * message.  Writeback is used to implement glGet*() functions.
+@@ -989,7 +989,7 @@
+     (*writeback)--;
+     crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len );
+ }
+-
++#endif
+ 
+ /**
+  * This is used by the SPUs that do packing (such as Pack, Tilesort and
+@@ -1067,13 +1067,21 @@
+             }
+             break;
+         case CR_MESSAGE_READ_PIXELS:
+-            crError( "Can't handle read pixels" );
++            crWarning( "Can't handle read pixels" );
+             return;
+         case CR_MESSAGE_WRITEBACK:
++#ifdef IN_GUEST
+             crNetRecvWriteback( &(pRealMsg->writeback) );
++#else
++            crWarning("CR_MESSAGE_WRITEBACK not expected\n");
++#endif
+             return;
+         case CR_MESSAGE_READBACK:
++#ifdef IN_GUEST
+             crNetRecvReadback( &(pRealMsg->readback), len );
++#else
++            crWarning("CR_MESSAGE_READBACK not expected\n");
++#endif
+             return;
+         case CR_MESSAGE_CRUT:
+             /* nothing */
+@@ -1091,7 +1099,7 @@
+             {
+                 char string[128];
+                 crBytesToString( string, sizeof(string), msg, len );
+-                crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
++                crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
+                                 "Did you add a new message type and forget to tell "
+                                 "crNetDefaultRecv() about it?\n",
+                                 msg->header.type, string );
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0983.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0983.patch
@@ -0,0 +1,69 @@
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
+@@ -46,6 +46,7 @@
+ for func_name in keys:
+     current = 0
+     array = ""
++    condition = ""
+     m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name )
+     if m :
+         current = 1
+@@ -68,6 +69,7 @@
+         name = "texCoord"
+         type = m.group(3) + m.group(2)
+         array = "[texture-GL_TEXTURE0_ARB]"
++        condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)"
+     m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name )
+     if m :
+         current = 1
+@@ -91,18 +93,23 @@
+         name = string.lower( m.group(1)[:1] ) + m.group(1)[1:]
+         type = m.group(3) + m.group(2)
+         array = "[index]"
++        condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+     if func_name == "VertexAttrib4NubARB":
+         current = 1
+         name = "vertexAttrib"
+         type = "ub4"
+         array = "[index]"
++        condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+ 
+     if current:
+         params = apiutil.Parameters(func_name)
+         print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) )
+         print '{'
+-        print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
+-        print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++        print '\t%s' % (condition)
++        print '\t{'
++        print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
++        print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++        print '\t}'
+         print '}\n' 
+ 
+ print """
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
+@@ -92,7 +92,21 @@
+         rbid = (GLuint) *get_values;
+         *get_values = (%s) crStateRBOHWIDtoID(rbid);
+     }
+-    """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
++    else if (GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS==pname)
++    {
++        if (CR_MAX_TEXTURE_UNITS < (GLuint)*get_values)
++        {
++            *get_values = (%s)CR_MAX_TEXTURE_UNITS;
++        }
++    }
++    else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname)
++    {
++        if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values)
++        {
++            *get_values = (%s)CR_MAX_VERTEX_ATTRIBS;
++        }
++    }
++    """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
+     print '\tcrServerReturnValue( get_values, tablesize );'
+     print '\tcrFree(get_values);'
+     print '}\n'
-------------- next part --------------
diff -Nru virtualbox-4.1.18-dfsg/debian/changelog virtualbox-4.1.18-dfsg/debian/changelog
--- virtualbox-4.1.18-dfsg/debian/changelog	2014-03-09 19:47:46.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/changelog	2014-04-14 11:24:39.000000000 +0200
@@ -1,3 +1,12 @@
+virtualbox (4.1.18-dfsg-2+deb7u3) wheezy-security; urgency=high
+
+  * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
+    - CVE-2014-0981, CVE-2014-0983
+    - Backport fixes from version 4.1.32 in debian/patches/CVE-2014-0981.patch
+      and debian/patches/CVE-2014-0983.patch
+
+ -- Felix Geyer <fgeyer at debian.org>  Mon, 14 Apr 2014 11:19:01 +0200
+
 virtualbox (4.1.18-dfsg-2+deb7u2) wheezy-security; urgency=high
 
   * Apply fixes from the January 2014 security advisory. (Closes: #735410)
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch	1970-01-01 01:00:00.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch	2014-04-14 11:18:57.000000000 +0200
@@ -0,0 +1,53 @@
+diff -Nur VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c
+--- VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c	2014-01-10 17:21:21.000000000 +0100
++++ VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c	2014-03-14 08:18:19.000000000 +0100
+@@ -957,7 +957,7 @@
+     conn->InstantReclaim( conn, (CRMessage *) msg );
+ }
+ 
+-
++#ifdef IN_GUEST
+ /**
+  * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK
+  * message.  Writeback is used to implement glGet*() functions.
+@@ -990,7 +990,7 @@
+     (*writeback)--;
+     crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len );
+ }
+-
++#endif
+ 
+ /**
+  * This is used by the SPUs that do packing (such as Pack, Tilesort and
+@@ -1068,13 +1068,21 @@
+             }
+             break;
+         case CR_MESSAGE_READ_PIXELS:
+-            crError( "Can't handle read pixels" );
++            crWarning( "Can't handle read pixels" );
+             return;
+         case CR_MESSAGE_WRITEBACK:
++#ifdef IN_GUEST
+             crNetRecvWriteback( &(pRealMsg->writeback) );
++#else
++            crWarning("CR_MESSAGE_WRITEBACK not expected\n");
++#endif
+             return;
+         case CR_MESSAGE_READBACK:
++#ifdef IN_GUEST
+             crNetRecvReadback( &(pRealMsg->readback), len );
++#else
++            crWarning("CR_MESSAGE_READBACK not expected\n");
++#endif
+             return;
+         case CR_MESSAGE_CRUT:
+             /* nothing */
+@@ -1092,7 +1100,7 @@
+             {
+                 char string[128];
+                 crBytesToString( string, sizeof(string), msg, len );
+-                crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
++                crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n"
+                                 "Did you add a new message type and forget to tell "
+                                 "crNetDefaultRecv() about it?\n",
+                                 msg->header.type, string );
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch	1970-01-01 01:00:00.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch	2014-04-14 11:18:29.000000000 +0200
@@ -0,0 +1,62 @@
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
+@@ -46,6 +46,7 @@
+ for func_name in keys:
+     current = 0
+     array = ""
++    condition = ""
+     m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name )
+     if m :
+         current = 1
+@@ -68,6 +69,7 @@
+         name = "texCoord"
+         type = m.group(3) + m.group(2)
+         array = "[texture-GL_TEXTURE0_ARB]"
++        condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)"
+     m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name )
+     if m :
+         current = 1
+@@ -91,18 +93,23 @@
+         name = string.lower( m.group(1)[:1] ) + m.group(1)[1:]
+         type = m.group(3) + m.group(2)
+         array = "[index]"
++        condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+     if func_name == "VertexAttrib4NubARB":
+         current = 1
+         name = "vertexAttrib"
+         type = "ub4"
+         array = "[index]"
++        condition = "if (index < CR_MAX_VERTEX_ATTRIBS)"
+ 
+     if current:
+         params = apiutil.Parameters(func_name)
+         print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) )
+         print '{'
+-        print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
+-        print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++        print '\t%s' % (condition)
++        print '\t{'
++        print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) )
++        print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array)
++        print '\t}'
+         print '}\n' 
+ 
+ print """
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py
+@@ -113,7 +113,14 @@
+     		*get_values = (%s)CR_MAX_TEXTURE_UNITS;
+     	} 
+     }
+-    """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
++    else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname) 
++    { 
++         if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values) 
++         { 
++             *get_values = (%s)CR_MAX_VERTEX_ATTRIBS; 
++         }  
++    } 
++    """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index])
+     print '\tcrServerReturnValue( get_values, tablesize );'
+     print '\tcrFree(get_values);'
+     print '}\n'
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/series virtualbox-4.1.18-dfsg/debian/patches/series
--- virtualbox-4.1.18-dfsg/debian/patches/series	2014-01-28 21:12:08.000000000 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/series	2014-04-14 11:25:14.000000000 +0200
@@ -18,3 +18,5 @@
 CVE-2013-0420.patch
 37-wheezy-kernel-drm.patch
 38-security-fixes-2014-01.patch
+CVE-2014-0981.patch
+CVE-2014-0983.patch


More information about the Pkg-virtualbox-devel mailing list