[Pkg-virtualbox-devel] virtualbox security issue but no DSA.

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Wed Nov 18 08:38:02 UTC 2015


Hi, I use the mail list to keep track of the issue.

talking about CVE-2015-7183.

I fixed it on sid/stretch (5.0.10-dfsg-1)

and I pushed on virtualbox.git/ {jessie/wheezy} branches the fixes for it too.

Let me know if I can do a security upload or not, I'm planning to do this for ubuntu right now
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1517161

so, since the package is ready I can upload if needed :)
(note: upstream wasn't sure the CVE exploit was possible on virtualbox, but they said "better safe then sorry" and released almost targeted updates for each maintainance branch).

looking at the diff of the new 4.1.44 and 4.3.34 seems that they released a new update with almost only this fix.
(this makes me think that the CVE was exploitable on a deeper upstream analysis, but I have no evidence, just saying)

cheers,

G.



More information about the Pkg-virtualbox-devel mailing list