[Pkg-virtualbox-devel] Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Frank Mehnert
frank.mehnert at oracle.com
Wed Jan 21 15:03:14 UTC 2015
Hi Gianfranco,
On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
> >the most CVEs from that CPU are related to the experimental VMSVGA
> >implementation. This code is not documented and not announced and
> >regular users will not use it. Therefore I suggest you to just disable
> >that code by setting
> >
> > VBOX_WITH_VMSVGA=
> > VBOX_WITH_VMSVGA3D=
> >
> >This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
> >CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
> >lengthy, therefore disabling this code is IMO the best solution.
>
> I presume starting from version 4.0 everything needs to be patched by
> disabling it?
that code does only exist in VBox 4.3.x, older branches are not affected.
> >CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
> >CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
>
> do you have any patch for <= 4.2.x then?
Attached.
> 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18
These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.
> 4.3.20 (not affected at all I presume)
Correct, already contains fixes for all these problems.
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_3.2_cve_2015_0377
Type: text/x-patch
Size: 853 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_3.2_cve_2015_0418
Type: text/x-patch
Size: 1587 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.0_cve_2015_0377
Type: text/x-patch
Size: 822 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.0_cve_2015_0418
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.1_cve_2015_0377
Type: text/x-patch
Size: 810 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.1_cve_2015_0418
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.2_cve_2015_0377
Type: text/x-patch
Size: 810 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_vbox_4.2_cve_2015_0418
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150121/a530740a/attachment-0007.bin>
More information about the Pkg-virtualbox-devel
mailing list