[Pkg-virtualbox-devel] Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Ritesh Raj Sarraf rrs at researchut.com
Wed Jan 21 07:45:53 UTC 2015 

On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> No specific details available yet:
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
>
> Cheers,
>         Moritz
>

The following matrix is what I could grab.

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR

CVE-2014-6595 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6588 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6589 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6590 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2015-0427 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2015-0418 	Oracle VM VirtualBox 	None 	Core 	No 	2.1 	Local 	Low
None 	None 	None 	Partial+ 	VirtualBox prior to 3.2.26, 4.0.28, 4.1.36,
4.2.28 	 

 

 

*Notes:*

 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
    CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
 3. VMSVGA virtual graphics device is not documented and is disabled by
    default.



@Moritz: There's nothing more detailed than the statement that all
versions proior to 4.3.20 are vulnerable.
4.3.20 is in experimental right now.


-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/69888080/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/69888080/attachment.sig>

More information about the Pkg-virtualbox-devel mailing list