Debian Bug report logs -
#635276
CVE-2011-2305 / CVE-2011-2300
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 24 Jul 2011 16:21:01 UTC
Severity: grave
Tags: security
Found in version virtualbox/4.0.10-dfsg-1
Done: Felix Geyer <debfx-pkg@fobos.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
:
Bug#635276
; Package virtualbox-ose
.
(Sun, 24 Jul 2011 16:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
.
(Sun, 24 Jul 2011 16:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: virtualbox-ose
Version: 4.0.10-dfsg-1
Severity: grave
Tags: security
Does this affect the versions in Debian?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2300
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
:
Bug#635276
; Package virtualbox-ose
.
(Tue, 26 Jul 2011 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
.
(Tue, 26 Jul 2011 20:15:03 GMT) (full text, mbox, link).
Message #10 received at 635276@bugs.debian.org (full text, mbox, reply):
On Sun, Jul 24, 2011 at 06:20:33PM +0200, Moritz Muehlenhoff wrote:
> Package: virtualbox-ose
> Version: 4.0.10-dfsg-1
> Severity: grave
> Tags: security
>
> Does this affect the versions in Debian?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2305
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2300
I asked for details on oss-security:
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
To: oss-security@lists.openwall.com
On Tue, Jul 26, 2011 at 11:19 AM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Hi,
> does anyone have further information on
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2300 and
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2305
> and whether if affects the open source version of Virtual Box?
>
These issues were found by Tarjei Mandt, and are described in this blog post:
http://mista.nu/blog/author/mista/
CVE-2011-2300 allows gaining elevated privileges within a Windows
guest due to a vulnerability in the Windows Guest Additions.
CVE-2011-2305 allows executing arbitrary code on the host due to a
vulnerability in the VirtualBox graphics stack.
Tarjei found these issues via code auditing, so it follows that they
affect the open source version of VirtualBox.
-Dan
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
:
Bug#635276
; Package virtualbox-ose
.
(Wed, 27 Jul 2011 09:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Meskes <meskes@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
.
(Wed, 27 Jul 2011 09:03:06 GMT) (full text, mbox, link).
Message #15 received at 635276@bugs.debian.org (full text, mbox, reply):
> These issues were found by Tarjei Mandt, and are described in this blog post:
> http://mista.nu/blog/author/mista/
>
> CVE-2011-2300 allows gaining elevated privileges within a Windows
> guest due to a vulnerability in the Windows Guest Additions.
It's impossible to check the details here because we only distribute the
Windows Guest Additions as binary in non-free. According to the blog entry
4.0.10, the version in unstable and testing, is fine. I cannot tell ifrom our
sources if the old 3.2.10 version in stable is affected at all. However, if it
was, there is no way to update that package short of uploading the new 4.0
version to stable.
> CVE-2011-2305 allows executing arbitrary code on the host due to a
> vulnerability in the VirtualBox graphics stack.
This one affects only the version in backports. Unstable and testing already
have 4.0.10 which already contains the fix and stable has 3.2.10 which didn't
have the problem.
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at googlemail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL
Reply sent
to Felix Geyer <debfx-pkg@fobos.de>
:
You have taken responsibility.
(Thu, 28 Jul 2011 13:39:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Thu, 28 Jul 2011 13:39:10 GMT) (full text, mbox, link).
Message #20 received at 635276-done@bugs.debian.org (full text, mbox, reply):
I'm closing this bug as Michael has updated the version in backports
to 4.0.10 and we can't fix virtualbox-guest-additions in stable.
Moritz, can you update the security tracker?
The version information in the original CVEs are wrong, see
http://vbox.innotek.de/pipermail/vbox-dev/2011-July/004383.html
CVE-2011-2300 affects the virtualbox-guest-additions (not virtualbox-ose)
package in squeeze.
CVE-2011-2305 doesn't affect any version in Debian.
Felix
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 26 Aug 2011 07:37:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.