[Pkg-virtualbox-devel] Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Moritz Muehlenhoff jmm at inutil.org
Wed Jan 21 07:53:37 UTC 2015 

On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote:
> On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> > Package: virtualbox
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > No specific details available yet:
> > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> >
> > Cheers,
> >         Moritz
> >
> 
> The following matrix is what I could grab.
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR
> 
> CVE-2014-6595 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6588 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6589 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6590 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2015-0427 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2015-0418 	Oracle VM VirtualBox 	None 	Core 	No 	2.1 	Local 	Low
> None 	None 	None 	Partial+ 	VirtualBox prior to 3.2.26, 4.0.28, 4.1.36,
> 4.2.28 	 
> 
> *Notes:*
> 
>  1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
>  2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
>     CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
>  3. VMSVGA virtual graphics device is not documented and is disabled by
>     default.
> 
> @Moritz: There's nothing more detailed than the statement that all
> versions proior to 4.3.20 are vulnerable.
> 4.3.20 is in experimental right now.

In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information so that
we can merge the isolated fixes into the jessie version?

Cheers,
        Moritz

More information about the Pkg-virtualbox-devel mailing list