Debian Bug report logs -
#690777
virtualbox: CVE-2012-3221
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 17 Oct 2012 13:27:01 UTC
Severity: grave
Tags: security
Fixed in version virtualbox/4.1.18-dfsg-1.1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#690777; Package virtualbox.
(Wed, 17 Oct 2012 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 17 Oct 2012 13:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: virtualbox
Severity: grave
Tags: security
Justification: user security hole
Oracle fixed an unspecified security issue in their latest Patch Update:
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
CVE-2012-3221 Oracle VM Virtual Box None VirtualBox Core No 2.1 Local Low None None None Partial+ 3.2, 4.0, 4.1
Please get in touch with upstream and ask them for a fix.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#690777; Package virtualbox.
(Wed, 17 Oct 2012 14:21:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Mehnert <frank.mehnert@oracle.com>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 17 Oct 2012 14:21:14 GMT) (full text, mbox, link).
Message #10 received at 690777@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wednesday 17 October 2012 15:20:58 Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Oracle fixed an unspecified security issue in their latest Patch Update:
> http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
>
> CVE-2012-3221 Oracle VM Virtual Box None VirtualBox
> Core No 2.1 Local Low None None None Partial+ 3.2, 4.0, 4.1
>
> Please get in touch with upstream and ask them for a fix.
The problem was fixed by this changeset:
https://www.virtualbox.org/changeset/43068/vbox
The fix is part of VirtualBox 4.1.22 and 4.2.0. Distributions which
provide an older package need probably an update but the changeset
should apply cleanly.
The complete investigation is described here:
http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
[Message part 2 (text/html, inline)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#690777; Package virtualbox.
(Thu, 18 Oct 2012 22:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Thu, 18 Oct 2012 22:39:03 GMT) (full text, mbox, link).
Message #15 received at 690777@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, I've uploaded an nmu fixing this issue. See attached patch.
Best wishes,
Mike
[virtualbox.patch (application/octet-stream, attachment)]
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Thu, 18 Oct 2012 22:51:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 18 Oct 2012 22:51:11 GMT) (full text, mbox, link).
Message #20 received at 690777-close@bugs.debian.org (full text, mbox, reply):
Source: virtualbox
Source-Version: 4.1.18-dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 690777@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated virtualbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 18 Oct 2012 14:20:28 -0400
Source: virtualbox
Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils virtualbox-fuse virtualbox-ose-qt virtualbox-ose virtualbox-ose-dbg virtualbox-ose-dkms virtualbox-ose-source virtualbox-ose-guest-dkms virtualbox-ose-guest-source virtualbox-ose-guest-x11 virtualbox-ose-guest-utils virtualbox-ose-fuse
Architecture: source amd64 all
Version: 4.1.18-dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
virtualbox - x86 virtualization solution - base binaries
virtualbox-dbg - x86 virtualization solution - debugging symbols
virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms
virtualbox-fuse - x86 virtualization solution - virtual filesystem
virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk
virtualbox-guest-source - x86 virtualization solution - guest addition module source
virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities
virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities
virtualbox-ose - transitional package for virtualbox
virtualbox-ose-dbg - transitional package for virtualbox-dbg
virtualbox-ose-dkms - transitional package for virtualbox-dkms
virtualbox-ose-fuse - transitional package for virtualbox-fuse
virtualbox-ose-guest-dkms - transitional package for virtualbox-guest-dkms
virtualbox-ose-guest-source - transitional package for virtualbox-guest-source
virtualbox-ose-guest-utils - transitional package for virtualbox-guest-utils
virtualbox-ose-guest-x11 - transitional package for virtualbox-guest-x11
virtualbox-ose-qt - transitional package for virtualbox-qt
virtualbox-ose-source - transitional package for virtualbox-source
virtualbox-qt - x86 virtualization solution - Qt based user interface
virtualbox-source - x86 virtualization solution - kernel module source
Closes: 690777
Changes:
virtualbox (4.1.18-dfsg-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix cve-2012-3221: missing privilege check for task gate switches
(closes: 690777).
Checksums-Sha1:
e9437241d222ce148a2d928323e5e934a757d811 4801 virtualbox_4.1.18-dfsg-1.1.dsc
b4d9205dd6c4de25c6c8e9e662f168adff6943b7 97083 virtualbox_4.1.18-dfsg-1.1.debian.tar.gz
a57301afd300ca7e9dcc9787aa0e3a9adc932cb6 4180052 virtualbox-qt_4.1.18-dfsg-1.1_amd64.deb
dc89abf68a129bc43a5154e707de2bf945a7069d 12713022 virtualbox_4.1.18-dfsg-1.1_amd64.deb
43eb445ef1ed919722f17ab47a581cad4eecadbb 51379744 virtualbox-dbg_4.1.18-dfsg-1.1_amd64.deb
d4ac5206e1b74e7f2e7bb4ed13b12df97b212dcf 498514 virtualbox-dkms_4.1.18-dfsg-1.1_all.deb
081e7728f13f56136f3f88c1d2a9c890e8575235 590252 virtualbox-source_4.1.18-dfsg-1.1_all.deb
1548d2b8728befb6f79763d0e50577fe68a09097 436866 virtualbox-guest-dkms_4.1.18-dfsg-1.1_all.deb
a589d2f8861238fd7342cd8cd76dec88bce71505 531994 virtualbox-guest-source_4.1.18-dfsg-1.1_all.deb
11c7e43d83d50c3180c2138c55852004a6f97ecb 849472 virtualbox-guest-x11_4.1.18-dfsg-1.1_amd64.deb
290c696093024118fb9ce98eb90c1e96bcd41409 307840 virtualbox-guest-utils_4.1.18-dfsg-1.1_amd64.deb
c5bbb3b7ba917b8238c807c56372ce1af007841a 43458 virtualbox-fuse_4.1.18-dfsg-1.1_amd64.deb
d8eabc874aba14c3fc35c617ffe3793f8fc0d2c7 40506 virtualbox-ose-qt_4.1.18-dfsg-1.1_all.deb
f11c98bfad14be48f0ee5efb7ff99c2b1ad33faf 40496 virtualbox-ose_4.1.18-dfsg-1.1_all.deb
bee73a9f9edcd4414265f4d646c7cd1eddd77723 40506 virtualbox-ose-dbg_4.1.18-dfsg-1.1_all.deb
e83ac0c9c94128be16111dc3bf5cd733a8e603c0 40508 virtualbox-ose-dkms_4.1.18-dfsg-1.1_all.deb
7b817deecd95ad0893cf0a2fdcbe69ebb555652b 40512 virtualbox-ose-source_4.1.18-dfsg-1.1_all.deb
b179d346815f396055edd61adb1075f1712221a5 40522 virtualbox-ose-guest-dkms_4.1.18-dfsg-1.1_all.deb
bd2eb8d1f9c35af837253ec1a072a56f3e7c7cc1 40520 virtualbox-ose-guest-source_4.1.18-dfsg-1.1_all.deb
ed846ba01e99cdd451ab1c3f276724d4e2e190a1 40518 virtualbox-ose-guest-x11_4.1.18-dfsg-1.1_all.deb
8ee2bf8f4d1187806060a889b6b13e7669dc9864 40520 virtualbox-ose-guest-utils_4.1.18-dfsg-1.1_all.deb
dc8d6b98a2f8b3f81bf0192905756dbc28288bb3 40508 virtualbox-ose-fuse_4.1.18-dfsg-1.1_all.deb
Checksums-Sha256:
c0dc1b45023127207cfc220bbf318b2359e7674dc3e8b5c205055d315aa268af 4801 virtualbox_4.1.18-dfsg-1.1.dsc
21bd1f87ec9bcf1a651d764e68096aa67121ef8bac56fbd2b6ec1552e4e89a7d 97083 virtualbox_4.1.18-dfsg-1.1.debian.tar.gz
4fb8e4ec9eb51ba128613ab1e277245b3c556876466a2f3620b07bc683d253f2 4180052 virtualbox-qt_4.1.18-dfsg-1.1_amd64.deb
0dee4a1edaef0179d1125bde5657dc3b12ebc1096e820f5ac0a7cff3acd9d7f6 12713022 virtualbox_4.1.18-dfsg-1.1_amd64.deb
719fb4b08747f567926514e13da205d4d875ceb57d57891453884b5eadb88275 51379744 virtualbox-dbg_4.1.18-dfsg-1.1_amd64.deb
10db2cd7cd21bf687147b846988a29f91d1cbc20eb1330a7b1549cba8c552a0c 498514 virtualbox-dkms_4.1.18-dfsg-1.1_all.deb
97fe5cb9cb025991fb3f4792690c6df402c6597497b3e0572002ead26aaf3387 590252 virtualbox-source_4.1.18-dfsg-1.1_all.deb
d1354b73d8857bacedcdca93920e9be53798058ae8be132fdb3ea918e4cbec36 436866 virtualbox-guest-dkms_4.1.18-dfsg-1.1_all.deb
e70cdfa9fd47d2804ade8484b780c1b9c5f23f925b063eac2c6faa96e2eb9878 531994 virtualbox-guest-source_4.1.18-dfsg-1.1_all.deb
a4260418154b193df63335f56e4dfb2804051ab6e3668170b3bb6b210df80f0a 849472 virtualbox-guest-x11_4.1.18-dfsg-1.1_amd64.deb
3604be6b89bb7af1f085f51498e6c226205e76ee3d36404a86b025e6c59ffac1 307840 virtualbox-guest-utils_4.1.18-dfsg-1.1_amd64.deb
3b204f448fa15ca2fe19f13166d1d2f2782c3e35abefe4e65b33821e955fa0ae 43458 virtualbox-fuse_4.1.18-dfsg-1.1_amd64.deb
56acf4b6e5c2451eb2bbd6eebc79cfdff0d46bc926e3948baf747626707ef7b2 40506 virtualbox-ose-qt_4.1.18-dfsg-1.1_all.deb
eb6d81beeab3cc581e645f11a092a8c8b6368e410f7523256480c4b8259ec1a3 40496 virtualbox-ose_4.1.18-dfsg-1.1_all.deb
36ee6314295aac507c7c1c8fcbd7a57cedf1031c3805f33eb05e908369eb4dcd 40506 virtualbox-ose-dbg_4.1.18-dfsg-1.1_all.deb
9874cb8ac60106ec028f59fe89e49a81f567bca759fd5d4d7730c2393df2ae2e 40508 virtualbox-ose-dkms_4.1.18-dfsg-1.1_all.deb
60b96d541c4419270ad26e6697550da527d76b0948b3546c7d531a0211b05451 40512 virtualbox-ose-source_4.1.18-dfsg-1.1_all.deb
5ab59289442b1416d417550fe8e2898b13b007b5f41d2e784cb26c0940c56378 40522 virtualbox-ose-guest-dkms_4.1.18-dfsg-1.1_all.deb
366337ca0e3a43d63f48201be8f0a03f15b42eafe8e7ab7211e6aabad724562e 40520 virtualbox-ose-guest-source_4.1.18-dfsg-1.1_all.deb
0c29329ecb3081ebeb33f012780524a564185d77e867b21529f708482614d61b 40518 virtualbox-ose-guest-x11_4.1.18-dfsg-1.1_all.deb
18465329c87fbf205f2d272abb890ca18cfb99fd3a0551d77dbe10662c1e62c8 40520 virtualbox-ose-guest-utils_4.1.18-dfsg-1.1_all.deb
ba2f68cc4cf77b70187c396b3f714ba9e9fa10fb6e3556799efdc8fbe279164e 40508 virtualbox-ose-fuse_4.1.18-dfsg-1.1_all.deb
Files:
7f0674b44162d6196feaba9fcb03fbda 4801 misc optional virtualbox_4.1.18-dfsg-1.1.dsc
d8bf4d5b329537e673cac7c93a926331 97083 misc optional virtualbox_4.1.18-dfsg-1.1.debian.tar.gz
17c53c0dd1a6cd718e53a95076dfaf7c 4180052 misc optional virtualbox-qt_4.1.18-dfsg-1.1_amd64.deb
588303219f682c0dda7cdb42845d8701 12713022 misc optional virtualbox_4.1.18-dfsg-1.1_amd64.deb
8c4525d3dfb45706685589434aa46c5d 51379744 debug extra virtualbox-dbg_4.1.18-dfsg-1.1_amd64.deb
615e6db6f977d3c3c4ee07114fed9133 498514 kernel optional virtualbox-dkms_4.1.18-dfsg-1.1_all.deb
afe7160cfd93b6fcca0263453757e167 590252 kernel optional virtualbox-source_4.1.18-dfsg-1.1_all.deb
4b97fdabfb6335b72146e1f559270ae9 436866 kernel optional virtualbox-guest-dkms_4.1.18-dfsg-1.1_all.deb
ed3ee4cfaa92c2c63b76d82a89034ee8 531994 kernel optional virtualbox-guest-source_4.1.18-dfsg-1.1_all.deb
cefa52e59b7f9c1306d9d2933817e445 849472 x11 optional virtualbox-guest-x11_4.1.18-dfsg-1.1_amd64.deb
06ef52b859ca24805a63d2550cb21f13 307840 misc optional virtualbox-guest-utils_4.1.18-dfsg-1.1_amd64.deb
5215b987cdb13192e3223dc01d0787f1 43458 misc optional virtualbox-fuse_4.1.18-dfsg-1.1_amd64.deb
05f0a443c1be980d8e7d82b113c1f18a 40506 oldlibs extra virtualbox-ose-qt_4.1.18-dfsg-1.1_all.deb
87bbfb069ed6bcee214af1cd08b8ed79 40496 oldlibs extra virtualbox-ose_4.1.18-dfsg-1.1_all.deb
413d25d3abe7b496c98660e9d278500e 40506 oldlibs extra virtualbox-ose-dbg_4.1.18-dfsg-1.1_all.deb
4c10fa3ffd5f4417227a9fa0747edec3 40508 oldlibs extra virtualbox-ose-dkms_4.1.18-dfsg-1.1_all.deb
6746f316a63c53bbbcead211d7df04c1 40512 oldlibs extra virtualbox-ose-source_4.1.18-dfsg-1.1_all.deb
ca92cabf3691049d6ecb04c790f324e5 40522 oldlibs extra virtualbox-ose-guest-dkms_4.1.18-dfsg-1.1_all.deb
a8db27d578721c9edb80fd9042c65bf3 40520 oldlibs extra virtualbox-ose-guest-source_4.1.18-dfsg-1.1_all.deb
05c7656d5ca4a7ee4a8611a30c180269 40518 oldlibs extra virtualbox-ose-guest-x11_4.1.18-dfsg-1.1_all.deb
a390286c5636f1a78968787be23f0750 40520 oldlibs extra virtualbox-ose-guest-utils_4.1.18-dfsg-1.1_all.deb
c91dfc46df3b607d1158dba60ee6e844 40508 oldlibs extra virtualbox-ose-fuse_4.1.18-dfsg-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJQgHGPAAoJELjWss0C1vRzmjsf/3defKCYsi2vxAUiUHqc6kKg
x8h5QzFm48ApXac4wpOag5Hd9XWr4CtkRQie8xduWlLJZ4nf8u2DEwuUci6KxnTA
Dwhk+gf2AqzuS/DEmeld77/VkVbtEUfgFBnxK/zkUve7P18yecW4tktgZRaRyOCP
MZuyhNyrxTzpdubagKJCVAimjLghXjIFczF2TqXtr2Wq9/KfTCBp98VpTT61AHQ+
nsPTxYJjjZO3eLZOFo8+z6v7V5kVTvQ+2Em8QA31iG/KGpU/Hv0D09RfmB6nFEI9
sBuPTqg8YrGtbOB5E2V9WqQtpl39fDuwv/CzvzpJ407DCphNSnFEvuMfzCJj19uh
o78UNWfVMYPfPV0HL9tKsTW9iOCiJPNIq+dNjkwXNuu/pT/e6JLNsZiFvL2yM1Uv
iToPQD4HTNf0lt6MHFlBEJlNeBhRqjw+YS9Fje3/s8Iy33qSf2SlwYLq5Otqvwoh
hcxsvMiwgapSCQ2nhXCtxfptr62PNleQcPo+ym/q7UcQZM1U3Q6Tkz3XH1chBsl5
iFndWp+ma6ar7/3D+J4BlH2upmtM1ocV8HQKR4ENF9S581x2scyo6G+f4xPVuHzu
Knwx0zWIkeSeiUMrTbnLZioZ60GCbeY7kdCfJyDGBJ7pMKmsrJ1YfjvsAJ7Qi/H+
s/54t1+JA3DH0nxnqIlCBE3uVVPXPEDsQVpymBH4OY/UCULvThysoZjmpGzA2VqK
L9d/41eWhzyyfr0LpURzaOpD8uT12SA2hOnmERZU7OZObEZVdy7KwKNZHYoGGpKd
zNngOonhIKdS77mrnpcDZU5xg8YWUbJjrcxLtWvJPR5P5MatI5UP7neQimo1mSyu
N7V0toi4FczB0sCXQDq3MHpyj6LLfXTPwvDDKSg5039okGTgHqUNmrKtvYj/VyXY
jMLHX1M8ZuBiPZ0f/jonvrjaR7rluu1OHHemW1kPJ/M8yooTshRe5fCdM829zdr9
D/f79Txv3bM/lxvI+5s/dGamx0qBP5pc4o1svkp7eXuo1IuUUExFscNzRuY8VtlB
ZxjVrDO0kRmqHTLcAHKLU3ti7z3RumVPLrcB2xDw5wE6Jf1P7+pEh7lfxMZSyIf2
hca5jYLRCivBX322VVtqWc0aiizmwTEDX6XVdhJaF/U1RM5P7RYglx84Gd3hNX+m
3sB51YdWv4VTnY48NzqSDSJoTH3fisFgLYAypItbKPJz2ZKoYvc9ANR0/26UBJM6
PYmfFWepRXmvXRRTf143jIeDjzCKn4B04ARCremLMjZCg+iKPsgsgK6wz+A/sYKh
zI31EEM/uzdCKTEYBlJ7OzrmcWmXI23AcDjZq1Xp1RWCwR4kt0o+9CBbtplRtM4=
=vsiZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 Nov 2012 07:28:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:21:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon