Debian Bug report logs -
#698292
virtualbox: CVE-2013-0420
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 16 Jan 2013 13:06:01 UTC
Severity: grave
Tags: patch, security
Fixed in version virtualbox/4.1.18-dfsg-2
Done: Felix Geyer <debfx-pkg@fobos.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#698292; Package virtualbox.
(Wed, 16 Jan 2013 13:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 16 Jan 2013 13:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: virtualbox
Severity: grave
Tags: security
Justification: user security hole
The latest VirtualBox update round fixed an unspecified security issue:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
Can you contact upstream for an isolated patch to apply to Wheezy?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#698292; Package virtualbox.
(Wed, 16 Jan 2013 14:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Mehnert <frank.mehnert@oracle.com>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 16 Jan 2013 14:45:07 GMT) (full text, mbox, link).
Message #10 received at 698292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Wednesday 16 January 2013 13:59:57 Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> The latest VirtualBox update round fixed an unspecified security issue:
> http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
>
> Can you contact upstream for an isolated patch to apply to Wheezy?
The fix can be found in
https://www.virtualbox.org/changeset/44055/vbox
Please ignore the change in DevVGA.h, this change is not necessary.
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#698292; Package virtualbox.
(Wed, 16 Jan 2013 18:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 16 Jan 2013 18:45:06 GMT) (full text, mbox, link).
Message #15 received at 698292@bugs.debian.org (full text, mbox, reply):
Hi,
tags 698292 patch
thanks
> The fix can be found in
>
> https://www.virtualbox.org/changeset/44055/vbox
>
> Please ignore the change in DevVGA.h, this change is not necessary.
I've cast the change into a patch which I am attaching. Also attaching
the debdiff for a possible NMU.
Cheers,
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Added tag(s) patch.
Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
to control@bugs.debian.org.
(Wed, 16 Jan 2013 18:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#698292; Package virtualbox.
(Wed, 16 Jan 2013 18:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 16 Jan 2013 18:54:03 GMT) (full text, mbox, link).
Message #22 received at 698292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Forgot the attachments, sorry.
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
[virtualbox-4.1.18-dfsg-1.2.patch (text/x-diff, attachment)]
[CVE-2013-0420.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>:
Bug#698292; Package virtualbox.
(Wed, 16 Jan 2013 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 16 Jan 2013 20:45:05 GMT) (full text, mbox, link).
Message #27 received at 698292@bugs.debian.org (full text, mbox, reply):
On 16.01.2013 19:50, John Paul Adrian Glaubitz wrote:
> Forgot the attachments, sorry.
>
> Adrian
>
The debdiff looks good but uploading it is blocked by kbuild
bug #697892.
Felix
Reply sent
to Felix Geyer <debfx-pkg@fobos.de>:
You have taken responsibility.
(Sat, 19 Jan 2013 20:54:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 19 Jan 2013 20:54:04 GMT) (full text, mbox, link).
Message #32 received at 698292-close@bugs.debian.org (full text, mbox, reply):
Source: virtualbox
Source-Version: 4.1.18-dfsg-2
We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <debfx-pkg@fobos.de> (supplier of updated virtualbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Jan 2013 18:05:25 +0100
Source: virtualbox
Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils virtualbox-fuse virtualbox-ose-qt virtualbox-ose virtualbox-ose-dbg virtualbox-ose-dkms virtualbox-ose-source virtualbox-ose-guest-dkms virtualbox-ose-guest-source virtualbox-ose-guest-x11 virtualbox-ose-guest-utils virtualbox-ose-fuse
Architecture: source amd64 all
Version: 4.1.18-dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Felix Geyer <debfx-pkg@fobos.de>
Description:
virtualbox - x86 virtualization solution - base binaries
virtualbox-dbg - x86 virtualization solution - debugging symbols
virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms
virtualbox-fuse - x86 virtualization solution - virtual filesystem
virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk
virtualbox-guest-source - x86 virtualization solution - guest addition module source
virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities
virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities
virtualbox-ose - transitional package for virtualbox
virtualbox-ose-dbg - transitional package for virtualbox-dbg
virtualbox-ose-dkms - transitional package for virtualbox-dkms
virtualbox-ose-fuse - transitional package for virtualbox-fuse
virtualbox-ose-guest-dkms - transitional package for virtualbox-guest-dkms
virtualbox-ose-guest-source - transitional package for virtualbox-guest-source
virtualbox-ose-guest-utils - transitional package for virtualbox-guest-utils
virtualbox-ose-guest-x11 - transitional package for virtualbox-guest-x11
virtualbox-ose-qt - transitional package for virtualbox-qt
virtualbox-ose-source - transitional package for virtualbox-source
virtualbox-qt - x86 virtualization solution - Qt based user interface
virtualbox-source - x86 virtualization solution - kernel module source
Closes: 698292
Changes:
virtualbox (4.1.18-dfsg-2) unstable; urgency=high
.
[ John Paul Adrian Glaubitz ]
* Include patch to fix virtual graphics device user
vulnerability CVE-2013-0420. (Closes: #698292)
Checksums-Sha1:
35248d61661878a27a2a1a1c57db7321b6023ecd 4099 virtualbox_4.1.18-dfsg-2.dsc
493d94e4f8b6fcd492c26e40f551320defaffa02 96481 virtualbox_4.1.18-dfsg-2.debian.tar.gz
de36995fe73cfdd557660f6d00907f1c2310703b 4225194 virtualbox-qt_4.1.18-dfsg-2_amd64.deb
b0ef7ffb44f4c0b9f5558ab4146f7fba5dea7fb0 12747362 virtualbox_4.1.18-dfsg-2_amd64.deb
467c7ad352e1309edbb61c36384b2741c6b80339 51430014 virtualbox-dbg_4.1.18-dfsg-2_amd64.deb
d72ca0eebdcb212e5b2e7f0fe3123225f9db46c2 497238 virtualbox-dkms_4.1.18-dfsg-2_all.deb
7bd63b9ef1dca4cfc07a232b04b517eb6d8c04d5 596948 virtualbox-source_4.1.18-dfsg-2_all.deb
9919af081e6a66881c37f14b4e5adeb9ce1bb36e 435238 virtualbox-guest-dkms_4.1.18-dfsg-2_all.deb
93990834bcde19a423116956768cc8ad1b07dd3f 538314 virtualbox-guest-source_4.1.18-dfsg-2_all.deb
72464ef7bded6d278c186bbf10ab0ff5674d62a3 853440 virtualbox-guest-x11_4.1.18-dfsg-2_amd64.deb
42e5114360de1b925b11a3c795d71b8da96cbc8b 306866 virtualbox-guest-utils_4.1.18-dfsg-2_amd64.deb
6becfdb6adfa594499c368b958912632ca224bf2 43532 virtualbox-fuse_4.1.18-dfsg-2_amd64.deb
d784139b0ca8dc3bc0df439f3d6ab281c9490144 40604 virtualbox-ose-qt_4.1.18-dfsg-2_all.deb
cc7d9f27289b4b0dae22636b90f2d2aaa6f90739 40598 virtualbox-ose_4.1.18-dfsg-2_all.deb
bc3d58a1d5dff6320dfa02a44fec9efe48d16888 40604 virtualbox-ose-dbg_4.1.18-dfsg-2_all.deb
dbbc5d873a3d4e9a283c29a1db5bee0e8d4d76e7 40608 virtualbox-ose-dkms_4.1.18-dfsg-2_all.deb
ddbb5de000d538a9afd406efae54fd59a62165d0 40610 virtualbox-ose-source_4.1.18-dfsg-2_all.deb
3be85bdb176f97cd2b91963e3cd7f03c8a1fed51 40618 virtualbox-ose-guest-dkms_4.1.18-dfsg-2_all.deb
147c85e4b6b4fcec00062ef2f2ac23948f66c243 40620 virtualbox-ose-guest-source_4.1.18-dfsg-2_all.deb
cfaaffba89ccc62e0845e8f948cf8f567767347b 40618 virtualbox-ose-guest-x11_4.1.18-dfsg-2_all.deb
96a66e608200bd19cc2a5d870804062f8ac667d9 40618 virtualbox-ose-guest-utils_4.1.18-dfsg-2_all.deb
56101462bfdb7119bb57dc1a99df98ca431d2681 40610 virtualbox-ose-fuse_4.1.18-dfsg-2_all.deb
Checksums-Sha256:
ed8905e7c463e3eb06aadc6be14eba9ce8b174caeb420d402b4899c8a4ec7877 4099 virtualbox_4.1.18-dfsg-2.dsc
e6551e5532bbda3a05e420027e624801047811b3e925be81d0badf1ace7aba4d 96481 virtualbox_4.1.18-dfsg-2.debian.tar.gz
58b23af9838c631b32ecf6af719796c7027363b43e6f88d028a3682d8d375300 4225194 virtualbox-qt_4.1.18-dfsg-2_amd64.deb
3732022b411add7ae71fb4df03168fc488fff227d74054fa8836a54f2fd241c1 12747362 virtualbox_4.1.18-dfsg-2_amd64.deb
2e347ef272050f4f034c65625a040733b1bdbd05832c4131487e4e9692a71327 51430014 virtualbox-dbg_4.1.18-dfsg-2_amd64.deb
cef5e5b0998b53a0a018239af08624011a8d82514973d3726729432f533894d1 497238 virtualbox-dkms_4.1.18-dfsg-2_all.deb
4956db606109216d9bac1d1bebdd9156611ef4fe1b027463dc2ad6de2a98d6cf 596948 virtualbox-source_4.1.18-dfsg-2_all.deb
7cb7c309dd8639e9be4185f0f82a0845b02c3133b1a451120a1dc19981ec3cf5 435238 virtualbox-guest-dkms_4.1.18-dfsg-2_all.deb
cfb9d8219b5105de483cb87b979f802eb94565398afe6a889d91106763f3b2f2 538314 virtualbox-guest-source_4.1.18-dfsg-2_all.deb
a5bd3fe460a61e11e467a188204f6d859edfb4647bc7d61cceac082c871d6442 853440 virtualbox-guest-x11_4.1.18-dfsg-2_amd64.deb
b4e85a607bf08e65fb6300737e6dd38e6175548e278b5676b094968c74840a49 306866 virtualbox-guest-utils_4.1.18-dfsg-2_amd64.deb
15bf5db9a2f4e81653031f9a6b61be94c44a0a34c06a228707183b093afdc8a1 43532 virtualbox-fuse_4.1.18-dfsg-2_amd64.deb
bc1e51d0864d16bb709bc7f9ac65794b843a090b7ad658988be0b3b4043320ba 40604 virtualbox-ose-qt_4.1.18-dfsg-2_all.deb
42a8fb4db3c597793811b98842981ac10ef04dfd34c3aebaafc06a8700fce125 40598 virtualbox-ose_4.1.18-dfsg-2_all.deb
c254545443dfe8e54e575cc3ae36b8ced3fd2257d73299b2c952aa8505f3500f 40604 virtualbox-ose-dbg_4.1.18-dfsg-2_all.deb
556a5e7e3db9160279b17ba8a12040e7f2c472437ac2706aa0b60a830ab95d51 40608 virtualbox-ose-dkms_4.1.18-dfsg-2_all.deb
fcf8758444d67b34bb266bf52c03e206b501f9a53643fffe4f847088481900bb 40610 virtualbox-ose-source_4.1.18-dfsg-2_all.deb
6c9c7e9ad99c974506af54eb2ae32768c6d0edf774def3ba599d1fa7c6767a5f 40618 virtualbox-ose-guest-dkms_4.1.18-dfsg-2_all.deb
8b0b4a76558ef1465190a18e35653a8fe4d3f89958b563e2939a6656a9673e80 40620 virtualbox-ose-guest-source_4.1.18-dfsg-2_all.deb
30d62c262ddeb3b0b2ed7cb433c7e4ca5ffba9767dcf0fce8feab196fc5349e5 40618 virtualbox-ose-guest-x11_4.1.18-dfsg-2_all.deb
4201ecbf077a7656b2e1914b8b7e939211a3de627597e01de9977923a2d71215 40618 virtualbox-ose-guest-utils_4.1.18-dfsg-2_all.deb
50474b52c6accd5d30333171008e2d25d2d5807134e79f76f9cd6585db94751e 40610 virtualbox-ose-fuse_4.1.18-dfsg-2_all.deb
Files:
53f7341077f616a3f2ba834f28b8ee0a 4099 misc optional virtualbox_4.1.18-dfsg-2.dsc
9f2f866a1e7d696516c4b5b8ab443afb 96481 misc optional virtualbox_4.1.18-dfsg-2.debian.tar.gz
4f9b775af867486781dcbbe39c848262 4225194 misc optional virtualbox-qt_4.1.18-dfsg-2_amd64.deb
b3cd3dd0bc6d62459df251360a1a13fe 12747362 misc optional virtualbox_4.1.18-dfsg-2_amd64.deb
b0dbf37fe913ff55dd73e267dd8315f4 51430014 debug extra virtualbox-dbg_4.1.18-dfsg-2_amd64.deb
4afa9d7ecd223396d9a6ba1a7fcb79ec 497238 kernel optional virtualbox-dkms_4.1.18-dfsg-2_all.deb
a3dbb2f2646821c8bfecd65e8b119a61 596948 kernel optional virtualbox-source_4.1.18-dfsg-2_all.deb
1783b3d3a1ad15ea089cfb53302bd099 435238 kernel optional virtualbox-guest-dkms_4.1.18-dfsg-2_all.deb
b397c1d2e49eccc45c4cc7b06a792e37 538314 kernel optional virtualbox-guest-source_4.1.18-dfsg-2_all.deb
0e415f2dadc44e00f90a7d4eb39646f3 853440 x11 optional virtualbox-guest-x11_4.1.18-dfsg-2_amd64.deb
9a151505562f6cbc2cbcdfcf9664fc0f 306866 misc optional virtualbox-guest-utils_4.1.18-dfsg-2_amd64.deb
4a12c6d3618ae957bdba23b07f288ff7 43532 misc optional virtualbox-fuse_4.1.18-dfsg-2_amd64.deb
3d6dbb47fa8c7948ec9044f8aff20a20 40604 oldlibs extra virtualbox-ose-qt_4.1.18-dfsg-2_all.deb
148ad708a2fa9e8d6f2bbddd53dab089 40598 oldlibs extra virtualbox-ose_4.1.18-dfsg-2_all.deb
41384c724daa2f7ccedaf44bb917e504 40604 oldlibs extra virtualbox-ose-dbg_4.1.18-dfsg-2_all.deb
bde10ebcc4f3d250774d229f4ae95e5b 40608 oldlibs extra virtualbox-ose-dkms_4.1.18-dfsg-2_all.deb
c2de16da989a42d3559ff7b1bfe08e78 40610 oldlibs extra virtualbox-ose-source_4.1.18-dfsg-2_all.deb
0182b675206d69c22fd7816a68cfc416 40618 oldlibs extra virtualbox-ose-guest-dkms_4.1.18-dfsg-2_all.deb
6ccd5667e3561ad22d922564109a7d8b 40620 oldlibs extra virtualbox-ose-guest-source_4.1.18-dfsg-2_all.deb
61b104f7c6911edb6afdf4623a45380f 40618 oldlibs extra virtualbox-ose-guest-x11_4.1.18-dfsg-2_all.deb
b3a23bd2fb6788bd06a71c0f0259e4f5 40618 oldlibs extra virtualbox-ose-guest-utils_4.1.18-dfsg-2_all.deb
6451a7f5ce77f4b4546a77232242f53d 40610 oldlibs extra virtualbox-ose-fuse_4.1.18-dfsg-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJQ+wBDAAoJEP4ixv2DE11FQ2sQALrR5VKwQFoS0dFE2kR2I3T7
ynWnpzrhY9jFy7dnqSEXozy8wCk92jzyseNrVjd6tl55YjwukyDLvY7GKDbmXicy
oPlGSRzaD+PFaQSCnh0XGjYMqoMhy54pbvsg03UWaR1HQb3H+1ALYX2eoCl6j7YL
Tx1Orm1FlUgkvc+nKvkzolN6yPDp+QqavFVcy8tK7Er3x8+EPVqMmfyuiYvHlrAS
auKfKhFU1qDgmirTdfdx9zuCbaNmuRjKz8AkrgKs2Prjs5sI5jcqLwK1+cw5yhyQ
E/0TWH8UWlbeIpD/uzTjOqNaaUvAIH1aYqNvmkNiCqMm6Jn/LRH8U5btA9xsBI+E
wTs1092Wt1OJE7/gY9V5wYFRQnp3lcffdt8xsCPHPw2XhNhIkcmgMnBlyS4ttOzV
Le+sf/7viEWduy6SaduUXJUSOSTYwEtPDS8jMS05/hhARzxR6oHwutlhTALNFe2x
2jti6wLPrFzitcZ0nZwQwBatTBCifhmf+KqgZvKonlqTr7HOxgZB+o+AR/7FZau3
FePVN7LX89dSCpFUmX0+IPrS2X8kf4x+YBanZHKroO7FKc39ziSEJLeCn7D2u4D1
luqovqzxNXD3Uf/fMUgTPVUcNyMNbXxpa42Six5wQRVZF7OcO37az/mdkpQkA8fb
Tb8pcDo/1+emE3wrp4Uo
=y3Un
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Feb 2013 07:28:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:13:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon