[Pkg-virtualbox-devel] Bug#785424: virtualbox: CVE-2015-3456: floppy driver host code execution
Salvatore Bonaccorso
carnil at debian.org
Sat May 16 03:54:13 UTC 2015
Source: virtualbox
Version: 4.1.18-dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi,
the following vulnerability was published for virtualbox.
CVE-2015-3456[0]:
| The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and
| earlier and KVM, allows local guest users to cause a denial of service
| (out-of-bounds write and guest crash) or possibly execute arbitrary
| code via the (1) FD_CMD_READ_ID, (2)
| FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka
| VENOM.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3456
[1] http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-virtualbox-devel
mailing list