VirtualBox: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201001-04 / virtualbox-bin virtualbox-ose virtualbox-guest-additions virtualbox-ose-additions |
| Release Date |
January 13, 2010 |
| Latest Revision |
January 13, 2010: 01 |
| Impact |
normal |
| Exploitable |
local |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| app-emulation/virtualbox-bin |
<
3.0.12 |
>=
3.0.12 |
All supported architectures
|
| app-emulation/virtualbox-ose |
<
3.0.12 |
>=
3.0.12 |
All supported architectures
|
| app-emulation/virtualbox-guest-additions |
<
3.0.12 |
>=
3.0.12 |
All supported architectures
|
| app-emulation/virtualbox-ose-additions |
<
3.0.12 |
>=
3.0.12 |
All supported architectures
|
Related bugreports:
#288836, #294678
Synopsis
Multiple vulnerabilities in VirtualBox were found, the worst of which
allowing for privilege escalation.
2.
Impact Information
Background
The VirtualBox family provides powerful x86 virtualization products.
Description
Thomas Biege of SUSE discovered multiple vulnerabilities:
- A shell metacharacter injection in popen() (CVE-2009-3692) and
a possible buffer overflow in strncpy() in the VBoxNetAdpCtl
configuration tool.
- An unspecified vulnerability in VirtualBox
Guest Additions (CVE-2009-3940).
Impact
A local, unprivileged attacker with the permission to run VirtualBox
could gain root privileges. A guest OS local user could cause a Denial
of Service (memory consumption) on the guest OS via unknown vectors.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All users of the binary version of VirtualBox should upgrade to the
latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-bin-3.0.12"
|
All users of the Open Source version of VirtualBox should upgrade to
the latest version:
Code Listing 3.2: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-3.0.12"
|
All users of the binary VirtualBox Guest Additions should upgrade to
the latest version:
Code Listing 3.3: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-guest-additions-3.0.12"
|
All users of the Open Source VirtualBox Guest Additions should upgrade
to the latest version:
Code Listing 3.4: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-ose-additions-3.0.12"
|
4.
References
|
