[Pkg-virtualbox-devel] Bug#735410: Information on recent VBox CVEs

Matthew Daley mattd at bugfuzz.com
Sat Feb 8 12:14:08 UTC 2014


I've recently released some more detailed information on these CVEs
that can hopefully help out; see

(In addition, another author has written up
<http://seclists.org/dailydave/2014/q1/21> about CVE-2013-5892.)

In summary:

CVE-2013-5892 = guest root -> host user mode (at minimum) code execution
CVE-2014-0407 = host userspace information leak to guest root
CVE-2014-0405 = guest user mode -> guest kernel mode code execution
(Windows guests with the additions driver (in
virtualbox-guest-additions-iso in non-free) only, as has already been
brought up)
CVE-2014-0406 = DoS (via out-of-bounds read) of host VBox process by guest root
CVE-2014-0404 = DoS (via triggering of incorrect assertion) of host
VBox process by guest root

- Matthew

More information about the Pkg-virtualbox-devel mailing list