[Pkg-virtualbox-devel] Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Ritesh Raj Sarraf rrs at researchut.com
Wed Jan 21 09:08:36 UTC 2015


Yes. We'll talk to the upstream folks.

s3nt fr0m a $martph0ne, excuse typ0s
On Jan 21, 2015 1:28 PM, "Moritz Muehlenhoff" <jmm at inutil.org> wrote:

> On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote:
> > On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> > > Package: virtualbox
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > No specific details available yet:
> > >
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> > >
> > > Cheers,
> > >         Moritz
> > >
> >
> > The following matrix is what I could grab.
> >
> >
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR
> >
> > CVE-2014-6595         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6588         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6589         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6590         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2015-0427         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2015-0418         Oracle VM VirtualBox    None    Core    No
> 2.1     Local   Low
> > None  None    None    Partial+        VirtualBox prior to 3.2.26,
> 4.0.28, 4.1.36,
> > 4.2.28
> >
> > *Notes:*
> >
> >  1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and
> CVE-2014-5704.
> >  2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
> >     CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
> >  3. VMSVGA virtual graphics device is not documented and is disabled by
> >     default.
> >
> > @Moritz: There's nothing more detailed than the statement that all
> > versions proior to 4.3.20 are vulnerable.
> > 4.3.20 is in experimental right now.
>
> In the past someone from upstream posted the upstream commits to the
> bug log, maybe you can contact them for more information so that
> we can merge the isolated fixes into the jessie version?
>
> Cheers,
>         Moritz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/926f406d/attachment.html>


More information about the Pkg-virtualbox-devel mailing list