virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Debian Bug report logs - #775888
virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 08:23:40 +0100

Package: virtualbox
Severity: grave
Tags: security
Justification: user security hole

No specific details available yet:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Cheers,
        Moritz

Message #10 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@researchut.com>

To: Moritz Muehlenhoff <jmm@inutil.org>, 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 13:15:53 +0530

[Message part 1 (text/plain, inline)]

On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> Package: virtualbox
> Severity: grave
> Tags: security
> Justification: user security hole
>
> No specific details available yet:
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
>
> Cheers,
>         Moritz
>

The following matrix is what I could grab.

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR

CVE-2014-6595 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6588 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6589 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2014-6590 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2015-0427 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
4.3.20 	See Note 3
CVE-2015-0418 	Oracle VM VirtualBox 	None 	Core 	No 	2.1 	Local 	Low
None 	None 	None 	Partial+ 	VirtualBox prior to 3.2.26, 4.0.28, 4.1.36,
4.2.28 	 

 

 

*Notes:*

 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
    CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
 3. VMSVGA virtual graphics device is not documented and is disabled by
    default.



@Moritz: There's nothing more detailed than the statement that all
versions proior to 4.3.20 are vulnerable.
4.3.20 is in experimental right now.


-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

[Message part 2 (text/html, inline)]

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ritesh Raj Sarraf <rrs@researchut.com>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 08:53:37 +0100

On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote:
> On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> > Package: virtualbox
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > No specific details available yet:
> > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> >
> > Cheers,
> >         Moritz
> >
> 
> The following matrix is what I could grab.
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR
> 
> CVE-2014-6595 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6588 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6589 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2014-6590 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2015-0427 	Oracle VM VirtualBox 	None 	VMSVGA device 	No 	3.2
> Local 	Low 	Single 	None 	Partial+ 	Partial+ 	VirtualBox prior to
> 4.3.20 	See Note 3
> CVE-2015-0418 	Oracle VM VirtualBox 	None 	Core 	No 	2.1 	Local 	Low
> None 	None 	None 	Partial+ 	VirtualBox prior to 3.2.26, 4.0.28, 4.1.36,
> 4.2.28 	 
> 
> *Notes:*
> 
>  1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704.
>  2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
>     CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
>  3. VMSVGA virtual graphics device is not documented and is disabled by
>     default.
> 
> @Moritz: There's nothing more detailed than the statement that all
> versions proior to 4.3.20 are vulnerable.
> 4.3.20 is in experimental right now.

In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information so that
we can merge the isolated fixes into the jessie version?

Cheers,
        Moritz

Message #20 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@researchut.com>

To: "Muehlenhoff, Moritz" <jmm@inutil.org>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 14:38:36 +0530

[Message part 1 (text/plain, inline)]

Yes. We'll talk to the upstream folks.

s3nt fr0m a $martph0ne, excuse typ0s
On Jan 21, 2015 1:28 PM, "Moritz Muehlenhoff" <jmm@inutil.org> wrote:

> On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote:
> > On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote:
> > > Package: virtualbox
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > No specific details available yet:
> > >
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> > >
> > > Cheers,
> > >         Moritz
> > >
> >
> > The following matrix is what I could grab.
> >
> >
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR
> >
> > CVE-2014-6595         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6588         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6589         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2014-6590         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2015-0427         Oracle VM VirtualBox    None    VMSVGA device
>  No      3.2
> > Local         Low     Single  None    Partial+        Partial+
> VirtualBox prior to
> > 4.3.20        See Note 3
> > CVE-2015-0418         Oracle VM VirtualBox    None    Core    No
> 2.1     Local   Low
> > None  None    None    Partial+        VirtualBox prior to 3.2.26,
> 4.0.28, 4.1.36,
> > 4.2.28
> >
> > *Notes:*
> >
> >  1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and
> CVE-2014-5704.
> >  2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
> >     CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076.
> >  3. VMSVGA virtual graphics device is not documented and is disabled by
> >     default.
> >
> > @Moritz: There's nothing more detailed than the statement that all
> > versions proior to 4.3.20 are vulnerable.
> > 4.3.20 is in experimental right now.
>
> In the past someone from upstream posted the upstream commits to the
> bug log, maybe you can contact them for more information so that
> we can merge the isolated fixes into the jessie version?
>
> Cheers,
>         Moritz
>

[Message part 2 (text/html, inline)]

Message #25 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Frank Mehnert <frank.mehnert@oracle.com>, "vbox-dev@virtualbox.org" <vbox-dev@virtualbox.org>, "rrs@researchut.com" <rrs@researchut.com>

Cc: "debian-bugs-dist@lists.debian.org" <debian-bugs-dist@lists.debian.org>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Subject: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 14:28:53 +0000 (UTC)

Hi Frank




>the most CVEs from that CPU are related to the experimental VMSVGA
>implementation. This code is not documented and not announced and
>regular users will not use it. Therefore I suggest you to just disable
>that code by setting
>
>  VBOX_WITH_VMSVGA=
>  VBOX_WITH_VMSVGA3D=
>
>This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
>CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
>lengthy, therefore disabling this code is IMO the best solution.


I presume starting from version 4.0 everything needs to be patched by disabling it?

>CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
>CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)


do you have any patch for <= 4.2.x then?

we have in the archive (debian and ubuntu)

4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18

4.3.20 (not affected at all I presume)

Frank-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher

Message #30 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Frank Mehnert <frank.mehnert@oracle.com>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: "vbox-dev@virtualbox.org" <vbox-dev@virtualbox.org>, "rrs@researchut.com" <rrs@researchut.com>, "debian-bugs-dist@lists.debian.org" <debian-bugs-dist@lists.debian.org>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Subject: Re: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 16:03:14 +0100

[Message part 1 (text/plain, inline)]

Hi Gianfranco,

On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
> >the most CVEs from that CPU are related to the experimental VMSVGA
> >implementation. This code is not documented and not announced and
> >regular users will not use it. Therefore I suggest you to just disable
> >that code by setting
> >
> >  VBOX_WITH_VMSVGA=
> >  VBOX_WITH_VMSVGA3D=
> >
> >This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
> >CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
> >lengthy, therefore disabling this code is IMO the best solution.
> 
> I presume starting from version 4.0 everything needs to be patched by
> disabling it?

that code does only exist in VBox 4.3.x, older branches are not affected.

> >CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
> >CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
> 
> do you have any patch for <= 4.2.x then?

Attached.

> 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18

These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.

> 4.3.20 (not affected at all I presume)

Correct, already contains fixes for all these problems.

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher

[diff_vbox_3.2_cve_2015_0377 (text/x-patch, attachment)]

[diff_vbox_3.2_cve_2015_0418 (text/x-patch, attachment)]

[diff_vbox_4.0_cve_2015_0377 (text/x-patch, attachment)]

[diff_vbox_4.0_cve_2015_0418 (text/x-patch, attachment)]

[diff_vbox_4.1_cve_2015_0377 (text/x-patch, attachment)]

[diff_vbox_4.1_cve_2015_0418 (text/x-patch, attachment)]

[diff_vbox_4.2_cve_2015_0377 (text/x-patch, attachment)]

[diff_vbox_4.2_cve_2015_0418 (text/x-patch, attachment)]

Message #35 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Frank Mehnert <frank.mehnert@oracle.com>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Cc: "vbox-dev@virtualbox.org" <vbox-dev@virtualbox.org>, "rrs@researchut.com" <rrs@researchut.com>, "debian-bugs-dist@lists.debian.org" <debian-bugs-dist@lists.debian.org>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Subject: Re: Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 15:39:44 +0000 (UTC)

Hi Frank,



>that code does only exist in VBox 4.3.x, older branches are not affected.

wonderful
>Attached.


wonderful
>These patches are against the latest code in the respective branches but
>I hope they apply to these old versions. Sorry but it's not possible to
>support such old versions, we only support the latest versions of a
>specific branch.

Of course, there is absolutely no problem in adapting them :)

>Correct, already contains fixes for all these problems.
wonderful


have many thanks,

Gianfranco

Message #45 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Frank Mehnert <frank.mehnert@oracle.com>

To: vbox-dev@virtualbox.org, rrs@researchut.com

Cc: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, debian-bugs-dist@lists.debian.org, 775888@bugs.debian.org

Subject: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Wed, 21 Jan 2015 14:51:31 +0100

Hi,

On Wednesday 21 January 2015 18:55:40 Ritesh Raj Sarraf wrote:
> The recently declared CVEs for VBox have fixes mentioned only in the
> 4.3.20 release.
> 
> Debian Jessie is frozen, and for it, we have targeted the 4.3.18
> release. Do you have the broken out patches that fix the vulnerabilities ?

the most CVEs from that CPU are related to the experimental VMSVGA
implementation. This code is not documented and not announced and
regular users will not use it. Therefore I suggest you to just disable
that code by setting

  VBOX_WITH_VMSVGA=
  VBOX_WITH_VMSVGA3D=

This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
lengthy, therefore disabling this code is IMO the best solution.

CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2014-0224: this is related to OpenSSL and therefore not a problem for
               Linux distributions as you compile your code against the
               distro-specific OpenSSL implementation.

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher

Message #50 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Frank Mehnert <frank.mehnert@oracle.com>, "vbox-dev@virtualbox.org" <vbox-dev@virtualbox.org>, "rrs@researchut.com" <rrs@researchut.com>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Cc: "debian-bugs-dist@lists.debian.org" <debian-bugs-dist@lists.debian.org>

Subject: Re: Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Thu, 22 Jan 2015 13:39:03 +0000 (UTC)

[Message part 1 (text/plain, inline)]

Hi all,

so to sum everything up:

experimental: NOT AFFECTED.
jessie: fixed all of them by disabling the code (attached jessie-debdiff)

wheezy: fixed CVE-2015-0377, CVE-2015-0418

wheezy-bpo: I propose to backport the new 4.3.18 into bpo when it reaches testing.
squeeze: no virtualbox there

squeeze-bpo: I propose to backport kbuild and then virtualbox 4.1 or 4.3 from wheezy-jessie.

Attached the debdiffs



thanks again Frank for your help!

cheers,

Gianfranco

[wheezy-debdiff (application/octet-stream, attachment)]

[jessie-debdiff (application/octet-stream, attachment)]

Message #59 received at 775888-close@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: 775888-close@bugs.debian.org

Subject: Bug#775888: fixed in virtualbox 4.3.18-dfsg-2

Date: Mon, 26 Jan 2015 15:22:05 +0000

Source: virtualbox
Source-Version: 4.3.18-dfsg-2

We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <rrs@debian.org> (supplier of updated virtualbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Jan 2015 10:51:40 +0100
Source: virtualbox
Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils
Architecture: source amd64 all
Version: 4.3.18-dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Ritesh Raj Sarraf <rrs@debian.org>
Description:
 virtualbox - x86 virtualization solution - base binaries
 virtualbox-dbg - x86 virtualization solution - debugging symbols
 virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms
 virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk
 virtualbox-guest-source - x86 virtualization solution - guest addition module source
 virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities
 virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities
 virtualbox-qt - x86 virtualization solution - Qt based user interface
 virtualbox-source - x86 virtualization solution - kernel module source
Closes: 775888
Changes:
 virtualbox (4.3.18-dfsg-2) unstable; urgency=high
 .
   [ Frank Mehnert ]
   * d/rules: Disable experimental code by exporting
     VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D=
     this fixes CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
     CVE-2014-6588 and CVE-2015-0427. (Closes: #775888)
Checksums-Sha1:
 94c1f73c34b36c4280141cf401f9bd20104702c1 3705 virtualbox_4.3.18-dfsg-2.dsc
 f33dc1070a4f567a05e748926f9760f5bcebf56d 75152 virtualbox_4.3.18-dfsg-2.debian.tar.xz
 0622b29b6f8bd6fe8ac20ef4dfaa82b3809e3c9e 4662584 virtualbox-qt_4.3.18-dfsg-2_amd64.deb
 7c61c90797cbefc086c9027ef77d85d2c6ad500a 15923432 virtualbox_4.3.18-dfsg-2_amd64.deb
 5b0024d263b4855fb551bedf8862cc681dfc9e0b 63737284 virtualbox-dbg_4.3.18-dfsg-2_amd64.deb
 dd8f4583159b8e07585c18287eade039d65d150b 579224 virtualbox-dkms_4.3.18-dfsg-2_all.deb
 9add9beb0b44502be88854e730a39879ebd0d468 677130 virtualbox-source_4.3.18-dfsg-2_all.deb
 a45b557dd014378511c311cc7259bbc05351ab98 490566 virtualbox-guest-dkms_4.3.18-dfsg-2_all.deb
 19915dc3077df44189764fea6a9fb1d97d16a364 579734 virtualbox-guest-source_4.3.18-dfsg-2_all.deb
 bccd626fa2354b48b843594adeeb607496829cb4 1019648 virtualbox-guest-x11_4.3.18-dfsg-2_amd64.deb
 1e3ad723db1afa237c7af62007f2a2b503b9b975 385242 virtualbox-guest-utils_4.3.18-dfsg-2_amd64.deb
Checksums-Sha256:
 e0d1d908f4533123ad2efa7468cd781f4fcf68fad23f3ec4162cf58b0a3f36ab 3705 virtualbox_4.3.18-dfsg-2.dsc
 e312f7e74ba99a69452ae85160f9d79c93b37cc913a48a3d8c1327c621e6d353 75152 virtualbox_4.3.18-dfsg-2.debian.tar.xz
 d448ca6d53551ddf49a8b6431f1d31e026f50ab9e43a2124fe99b48ce2048cbc 4662584 virtualbox-qt_4.3.18-dfsg-2_amd64.deb
 e0710376a785617e3d3ae24004e82dcccf73b14cac20cbd15df7ed99d2765719 15923432 virtualbox_4.3.18-dfsg-2_amd64.deb
 60141cebe3b0b037f93bba3d8e232cb222341795b8f828c692b8866272dc77d0 63737284 virtualbox-dbg_4.3.18-dfsg-2_amd64.deb
 c468e410b84dbdd9453b5cb7904dbb22707adef908c6f31ed5e82d8587c86a1e 579224 virtualbox-dkms_4.3.18-dfsg-2_all.deb
 4971984ab4c1864e2a0788b45d648b76a46f789eaf30755aa50edc915a545217 677130 virtualbox-source_4.3.18-dfsg-2_all.deb
 bb473b41314a3cc66c4c2ec60b688112e5d905f0da96121f27b16334b91f051c 490566 virtualbox-guest-dkms_4.3.18-dfsg-2_all.deb
 abc1fefac34c9c5040cd258c5a30c08089fac232940346796b81ba9289ed297b 579734 virtualbox-guest-source_4.3.18-dfsg-2_all.deb
 637d523d6cbcaaa4d5d98fae2669f76bf0ac4cf56fb95acc8dab51a82c0da2f5 1019648 virtualbox-guest-x11_4.3.18-dfsg-2_amd64.deb
 643ea45aa7c962b207b71076769455c575be0ed0fd7015ac75b522cfe3b57da3 385242 virtualbox-guest-utils_4.3.18-dfsg-2_amd64.deb
Files:
 12ec9831996d8672bead936a22e6e185 3705 contrib/misc optional virtualbox_4.3.18-dfsg-2.dsc
 a2d02539795e57c3300dc02058297ca4 75152 contrib/misc optional virtualbox_4.3.18-dfsg-2.debian.tar.xz
 565ceae2db743d9d8837d4a0d185a764 4662584 contrib/misc optional virtualbox-qt_4.3.18-dfsg-2_amd64.deb
 f01ff64e4237498f8fd6d71f91fcf4e7 15923432 contrib/misc optional virtualbox_4.3.18-dfsg-2_amd64.deb
 afdfb4c0f7bb277dec5949351528129b 63737284 contrib/debug extra virtualbox-dbg_4.3.18-dfsg-2_amd64.deb
 4b6d6f78a393ee3a91254e298ae38dd3 579224 contrib/kernel optional virtualbox-dkms_4.3.18-dfsg-2_all.deb
 9ac6ee694f94ac79bd76a02dfcf0ce57 677130 contrib/kernel optional virtualbox-source_4.3.18-dfsg-2_all.deb
 3d3d0ad3c9f0b3e1ce5a342bf104587a 490566 contrib/kernel optional virtualbox-guest-dkms_4.3.18-dfsg-2_all.deb
 69e2636461a3672356c7ccccea0d5eca 579734 contrib/kernel optional virtualbox-guest-source_4.3.18-dfsg-2_all.deb
 fb1afa82f0bdb904f05e266d1b8f224a 1019648 contrib/x11 optional virtualbox-guest-x11_4.3.18-dfsg-2_amd64.deb
 b0a31a01381a77670cd9f4bd372dba31 385242 contrib/misc optional virtualbox-guest-utils_4.3.18-dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUxj7oAAoJEKY6WKPy4XVpU3sP/j2LuXh4whqRKPDvcVST2PLB
u0Hz1JVMGASPwwmnQOtMVbrgUEh0FHsPvQDEDf01HS3UYyQkKAo0A9CPdpgfnMe0
ki3ri7RvJcVvOUwmG/F5R5mN15vGW6zYhpZRinKUtV9iD/nGiUWQW+eX7PmZ5cun
5I2grzw+2kzqr1k929VM3VHLpMInBC8x5yIFcjM/lHirHutCUUpHAcq8WpzhYsRC
/E059mT0fLSygSle1s30L8oHbEjqtc0TyQ7HE+R+38abq6/OCuGincx+A5j/PoPq
Nn0X0hhR5CY/xGg0u5IbNOJ0z8k0CCvtrqCHU3j3rRbciEYWI2U8hEjXjP8SYTTG
nMraebiufaAKkg0ZuJnQbbccMuajdE2Y7bNg3J4ikSWxYAWpiX/k7rL/EQBvUVzp
uBWh64XSEI4pECbFrT/855EmbrlvxSpfb/uqcGqprhhHsz2Y7uQFSZJrk5RDtzmQ
5F1czzMSME1F3MeZ1BC7Hk+BxcflTtw72Jjf99BPH3Rt+JVfGFldZ11mgSms0sq2
tSbxOFeKtskEYNKhVAh5MVxzWi/06rr2K0qw81Z70IQEKyQNgyu6phCNSisc8WEf
f9v6EANyWXf0FmPhOGWVNE+Q2bkLxpG2il+n/QUyj3m8v1+G8zIG5MCycVIWYs+j
BjV+V6NZhQGe/Z/UQK2q
=noXp
-----END PGP SIGNATURE-----

Message #64 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@researchut.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Mon, 26 Jan 2015 21:07:19 +0530

[Message part 1 (text/plain, inline)]

On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
> In the past someone from upstream posted the upstream commits to the
> bug log, maybe you can contact them for more information so that we
> can merge the isolated fixes into the jessie version? Cheers, Moritz 

Moritz,

For unstable, I've pushed the upload an d asked for an exception.

For Wheezy, it is building right now. Once the build is complete, I'll
push it to s-p-u. And send you the debdiff.



-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

[Message part 2 (text/html, inline)]

[signature.asc (application/pgp-signature, attachment)]

Message #69 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Mon, 26 Jan 2015 21:14:55 +0530

[Message part 1 (text/plain, inline)]

On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
> On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
>> In the past someone from upstream posted the upstream commits to the
>> bug log, maybe you can contact them for more information so that we
>> can merge the isolated fixes into the jessie version? Cheers, Moritz 
>
> Moritz,
>
> For unstable, I've pushed the upload an d asked for an exception.
>
> For Wheezy, it is building right now. Once the build is complete, I'll
> push it to s-p-u. And send you the debdiff.

Please find attached the debdiff. Please give me an ACK, and then I'll
do the upload.

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[Message part 2 (text/html, inline)]

[wheezy-vbox.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #74 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Ritesh Raj Sarraf <rrs@researchut.com>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Mon, 26 Jan 2015 18:21:25 +0100

On Mon, Jan 26, 2015 at 09:07:19PM +0530, Ritesh Raj Sarraf wrote:
> On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
> > In the past someone from upstream posted the upstream commits to the
> > bug log, maybe you can contact them for more information so that we
> > can merge the isolated fixes into the jessie version? Cheers, Moritz 
> 
> Moritz,
> 
> For unstable, I've pushed the upload an d asked for an exception.

I've added the VMSVGA fixes to the security tracker, but there are also
two issues in "Core", which apply to wheezy/jessie:

Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Cheers,
        Moritz

Message #79 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 14:58:14 +0530

[Message part 1 (text/plain, inline)]

On 01/26/2015 10:51 PM, Moritz Mühlenhoff wrote:
>> Moritz,
>> > 
>> > For unstable, I've pushed the upload an d asked for an exception.
> I've added the VMSVGA fixes to the security tracker, but there are also
> two issues in "Core", which apply to wheezy/jessie:
>
> Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?
>
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Frank from Oracle had mentioned that those 2 CVEs do not affect 4.3.x.
(Please see attached email).

For Wheezy, those CVE patches are included.


TO quote Frank and Gianfranco's conversation:
>> CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
>> CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
> do you have any patch for <= 4.2.x then?

Attached.



-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[Message part 2 (text/html, inline)]

[Attached Message (message/rfc822, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #84 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Moritz Mühlenhoff <jmm@inutil.org>, Ritesh Raj Sarraf <rrs@researchut.com>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 09:53:45 +0000 (UTC)

Hi Moritz, please read carefully this thread :)


>Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?

jessie is not affected, and wheezy has already the patch on this thread

the two CVEs are for VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28

so 4.3 not affected.


Since jessie is already pending fixed, I propose to go for wheezy with the above one.
cheers,

G.

Message #89 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, Ritesh Raj Sarraf <rrs@researchut.com>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 11:21:16 +0100

On Tue, Jan 27, 2015 at 09:53:45AM +0000, Gianfranco Costamagna wrote:
> Hi Moritz, please read carefully this thread :)
> 
> 
> >Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?
> 
> jessie is not affected, and wheezy has already the patch on this thread
> 
> the two CVEs are for VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28
> 
> so 4.3 not affected.
> 
> 
> Since jessie is already pending fixed, I propose to go for wheezy with the above one.
> cheers,

Thanks, I've updated the security tracker.

Cheers,
        Moritz

Message #94 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Ritesh Raj Sarraf <rrs@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 11:21:53 +0100

On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote:
> On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
> > On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
> >> In the past someone from upstream posted the upstream commits to the
> >> bug log, maybe you can contact them for more information so that we
> >> can merge the isolated fixes into the jessie version? Cheers, Moritz 
> >
> > Moritz,
> >
> > For unstable, I've pushed the upload an d asked for an exception.
> >
> > For Wheezy, it is building right now. Once the build is complete, I'll
> > push it to s-p-u. And send you the debdiff.
> 
> Please find attached the debdiff. Please give me an ACK, and then I'll
> do the upload.

Looks good to me. Please upload to security-master, I'll take care of
the update.

Cheers,
        Moritz

Message #99 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <happyaron.xu@gmail.com>

To: Moritz Mühlenhoff <jmm@inutil.org>, 775888@bugs.debian.org

Cc: Ritesh Raj Sarraf <rrs@debian.org>, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 20:54:20 +0800

I'll follow-up in wheezy-backports this weekend, at that time it
should land in jessie already.

Best,
Aron

On Tue, Jan 27, 2015 at 6:21 PM, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote:
>> On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
>> > On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
>> >> In the past someone from upstream posted the upstream commits to the
>> >> bug log, maybe you can contact them for more information so that we
>> >> can merge the isolated fixes into the jessie version? Cheers, Moritz
>> >
>> > Moritz,
>> >
>> > For unstable, I've pushed the upload an d asked for an exception.
>> >
>> > For Wheezy, it is building right now. Once the build is complete, I'll
>> > push it to s-p-u. And send you the debdiff.
>>
>> Please find attached the debdiff. Please give me an ACK, and then I'll
>> do the upload.
>
> Looks good to me. Please upload to security-master, I'll take care of
> the update.
>
> Cheers,
>         Moritz
>



-- 
Regards,
Aron Xu

Message #104 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Aron Xu <happyaron.xu@gmail.com>, Moritz Mühlenhoff <jmm@inutil.org>, "775888@bugs.debian.org" <775888@bugs.debian.org>

Cc: Ritesh Raj Sarraf <rrs@debian.org>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 13:26:23 +0000 (UTC)

Hi Aron,
can you please also followup on squeeze-bpo?
(might need a kbuild backport to make it build)

cheers,

(thanks)

G.





Il Martedì 27 Gennaio 2015 13:57, Aron Xu <happyaron.xu@gmail.com> ha scritto:
I'll follow-up in wheezy-backports this weekend, at that time it
should land in jessie already.

Best,
Aron


On Tue, Jan 27, 2015 at 6:21 PM, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote:
>> On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
>> > On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
>> >> In the past someone from upstream posted the upstream commits to the
>> >> bug log, maybe you can contact them for more information so that we
>> >> can merge the isolated fixes into the jessie version? Cheers, Moritz
>> >
>> > Moritz,
>> >
>> > For unstable, I've pushed the upload an d asked for an exception.
>> >
>> > For Wheezy, it is building right now. Once the build is complete, I'll
>> > push it to s-p-u. And send you the debdiff.
>>
>> Please find attached the debdiff. Please give me an ACK, and then I'll
>> do the upload.
>
> Looks good to me. Please upload to security-master, I'll take care of
> the update.
>
> Cheers,
>         Moritz
>



-- 
Regards,
Aron Xu

Message #109 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 775888@bugs.debian.org, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 18:56:31 +0530

[Message part 1 (text/plain, inline)]

On 01/27/2015 03:51 PM, Moritz Mühlenhoff wrote:
>> Please find attached the debdiff. Please give me an ACK, and then I'll
>> > do the upload.
> Looks good to me. Please upload to security-master, I'll take care of
> the update.

Thanks Moritz. The upload is done.

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[signature.asc (application/pgp-signature, attachment)]

Message #114 received at 775888@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <happyaron.xu@gmail.com>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, "775888@bugs.debian.org" <775888@bugs.debian.org>, Ritesh Raj Sarraf <rrs@debian.org>

Subject: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Date: Tue, 27 Jan 2015 21:43:28 +0800

I'll check, if that's not too complicated I'll do it.

Cheers,
Aron

Message #119 received at 775888-close@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: 775888-close@bugs.debian.org

Subject: Bug#775888: fixed in virtualbox 4.1.18-dfsg-2+deb7u4

Date: Thu, 29 Jan 2015 21:17:09 +0000

Source: virtualbox
Source-Version: 4.1.18-dfsg-2+deb7u4

We believe that the bug you reported is fixed in the latest version of
virtualbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <rrs@debian.org> (supplier of updated virtualbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Jan 2015 14:21:14 +0100
Source: virtualbox
Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils virtualbox-fuse virtualbox-ose-qt virtualbox-ose virtualbox-ose-dbg virtualbox-ose-dkms virtualbox-ose-source virtualbox-ose-guest-dkms virtualbox-ose-guest-source virtualbox-ose-guest-x11 virtualbox-ose-guest-utils virtualbox-ose-fuse
Architecture: source amd64 all
Version: 4.1.18-dfsg-2+deb7u4
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Ritesh Raj Sarraf <rrs@debian.org>
Description: 
 virtualbox - x86 virtualization solution - base binaries
 virtualbox-dbg - x86 virtualization solution - debugging symbols
 virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms
 virtualbox-fuse - x86 virtualization solution - virtual filesystem
 virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk
 virtualbox-guest-source - x86 virtualization solution - guest addition module source
 virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities
 virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities
 virtualbox-ose - transitional package for virtualbox
 virtualbox-ose-dbg - transitional package for virtualbox-dbg
 virtualbox-ose-dkms - transitional package for virtualbox-dkms
 virtualbox-ose-fuse - transitional package for virtualbox-fuse
 virtualbox-ose-guest-dkms - transitional package for virtualbox-guest-dkms
 virtualbox-ose-guest-source - transitional package for virtualbox-guest-source
 virtualbox-ose-guest-utils - transitional package for virtualbox-guest-utils
 virtualbox-ose-guest-x11 - transitional package for virtualbox-guest-x11
 virtualbox-ose-qt - transitional package for virtualbox-qt
 virtualbox-ose-source - transitional package for virtualbox-source
 virtualbox-qt - x86 virtualization solution - Qt based user interface
 virtualbox-source - x86 virtualization solution - kernel module source
Closes: 775888
Changes: 
 virtualbox (4.1.18-dfsg-2+deb7u4) wheezy-security; urgency=medium
 .
   [ Frank Mehnert ]
   * fix security vulnerabilities (Closes: #775888)
      CVE-2015-0377, CVE-2015-0418
      - debian/patches/CVE-2015-0{377,418}.patch
Checksums-Sha1: 
 ef5f524c6a04993767711c1e0faf64da1c86aaf5 4111 virtualbox_4.1.18-dfsg-2+deb7u4.dsc
 6f92f99d13d6943bb4dea8cd2d4611f3ec0e3169 104189 virtualbox_4.1.18-dfsg-2+deb7u4.debian.tar.gz
 0e1be596c8c7a44ac74c513dbfe574beaf450294 4205558 virtualbox-qt_4.1.18-dfsg-2+deb7u4_amd64.deb
 28cdc4e0dd8106f7ee2ea9a44b7afc25bd0f2aaa 12691188 virtualbox_4.1.18-dfsg-2+deb7u4_amd64.deb
 f04a6d378e89b311f1a5fe3ea8b24e8ea90c6930 51779400 virtualbox-dbg_4.1.18-dfsg-2+deb7u4_amd64.deb
 81a30d1e958651c2ea49f592500eac389c932b13 498704 virtualbox-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 ccd3547ed4345269eeeecb6dc7c4bd0f61234c85 590720 virtualbox-source_4.1.18-dfsg-2+deb7u4_all.deb
 db4efe1d6969f3183faff21564ab117c1ff32335 437698 virtualbox-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 c48317503b76c1e11dc457a928792c7303f3d94e 525832 virtualbox-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 79ecf36fffb4f1aa0972c24c8a51a508a8a12063 853356 virtualbox-guest-x11_4.1.18-dfsg-2+deb7u4_amd64.deb
 9bc1d7998796a3df7263c8ab0d77f454eeb2dbe3 309864 virtualbox-guest-utils_4.1.18-dfsg-2+deb7u4_amd64.deb
 9edab86bf07609cc4ca7de4c31a4a815b3277f5a 43902 virtualbox-fuse_4.1.18-dfsg-2+deb7u4_amd64.deb
 673dff16212c83995813c80f38a98d5861c29ed1 41402 virtualbox-ose-qt_4.1.18-dfsg-2+deb7u4_all.deb
 74192229683bdb50627016ed3d4785feb448f5ab 41388 virtualbox-ose_4.1.18-dfsg-2+deb7u4_all.deb
 7e3b31ec26d62fd3c636dd2f173de611fc3598a2 41404 virtualbox-ose-dbg_4.1.18-dfsg-2+deb7u4_all.deb
 6c0709ce3cdd9cb7b17a4fd582c8e130c83e0898 41404 virtualbox-ose-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 26816da2358c1b3f762ccf9ba286d374b4b74a59 41406 virtualbox-ose-source_4.1.18-dfsg-2+deb7u4_all.deb
 07ab55e8d820d07d4b59c6b3a72156f5300c76eb 41416 virtualbox-ose-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 6dfc12031aec8500d6180b81c01ba87ab65d8103 41416 virtualbox-ose-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 31e4111de89e16ce461cf96d3ac1bb4f30a99dce 41414 virtualbox-ose-guest-x11_4.1.18-dfsg-2+deb7u4_all.deb
 894a7ed0b5f2a871512d7916b00a716cc0e76c1e 41418 virtualbox-ose-guest-utils_4.1.18-dfsg-2+deb7u4_all.deb
 d0781dd2a63067b1f4a3535cdf894894cf9e2098 41404 virtualbox-ose-fuse_4.1.18-dfsg-2+deb7u4_all.deb
Checksums-Sha256: 
 948276167494130853c4cf5de98b68919447aba319c172e76158d564c7363b85 4111 virtualbox_4.1.18-dfsg-2+deb7u4.dsc
 3a474dc467abf498562e17353fd9304cc1a534c33828a28713e83c3ea54704f2 104189 virtualbox_4.1.18-dfsg-2+deb7u4.debian.tar.gz
 4e4804e8c3c49961a9985d3fe53cb8169fa3f63f363bd0acfcaca224675bb375 4205558 virtualbox-qt_4.1.18-dfsg-2+deb7u4_amd64.deb
 60679f51aae913ecb467e0a4f7c03b3a46d5741bb5ae45d06405c75c68c0906f 12691188 virtualbox_4.1.18-dfsg-2+deb7u4_amd64.deb
 76b889654bdf77f7a9232604be0fd0db0e2bd192e7f93aba7afb5f8ee980922c 51779400 virtualbox-dbg_4.1.18-dfsg-2+deb7u4_amd64.deb
 780550c2c351947dac262e02fbb40e2530a60c7cb800b7ea6fb1fe0a4f4efed9 498704 virtualbox-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 f3a116f9995e5b3d768643a2158523e9998816cfc9238527c06ba5b91aed737d 590720 virtualbox-source_4.1.18-dfsg-2+deb7u4_all.deb
 e9832bfdaf2cd79293c8ceeddd2ecc88dba491a1f859f94796324d7820e7cfc6 437698 virtualbox-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 1e32fa561b284b46f3f3f169d7b87b6f7dfdba61f0e2f7f6f358d969a3182a4b 525832 virtualbox-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 0db75906b1f2052555ade21c6c08f97e2570604c5fbcdb423e7f728805dc1d1d 853356 virtualbox-guest-x11_4.1.18-dfsg-2+deb7u4_amd64.deb
 de3beacaca0e58c8282c8d2ac46565c42b2147b5682a974136308bf589eb773d 309864 virtualbox-guest-utils_4.1.18-dfsg-2+deb7u4_amd64.deb
 19b1dbee1f6d1c5860a511f1df34c52b81ef932cc5bb73b1935c6bd4dfbe3190 43902 virtualbox-fuse_4.1.18-dfsg-2+deb7u4_amd64.deb
 998b0c45da9b948ea744d21589fccf9fd3c58ef4e34ddaab0b29f7d6b1977111 41402 virtualbox-ose-qt_4.1.18-dfsg-2+deb7u4_all.deb
 4a32c18795b620a6bb8a3a859366ebae6d7e2017c20ab52fe0d651226483e6c5 41388 virtualbox-ose_4.1.18-dfsg-2+deb7u4_all.deb
 93b155bba72a51a7c7f635c9006da5fe80aac4d172e07bf08a8a02eb86b93cd6 41404 virtualbox-ose-dbg_4.1.18-dfsg-2+deb7u4_all.deb
 991e19bdc5ed3bf1ab47df744297c6d1547e376438656fc8ae17b83750785ff7 41404 virtualbox-ose-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 3b15ee4a94ee456608a3ef4680fa5297a7386f84a101a9a32866f0c44b6ae072 41406 virtualbox-ose-source_4.1.18-dfsg-2+deb7u4_all.deb
 96299f7478742950f42263a62621fffc8011c4cd5d36b495069df1b74ac50326 41416 virtualbox-ose-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 d0596e2f10e58f386dd7307732a14eed0d4082dbd56c262f528a524a0cbcfc7f 41416 virtualbox-ose-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 4df6e456b6eff9bf31a210b2f7b71f8f20db55e3bfdf092d25b046d10fb7803e 41414 virtualbox-ose-guest-x11_4.1.18-dfsg-2+deb7u4_all.deb
 ed2c0b337751b5efa47cd5aebd407888462d42ed8447a158beca6ba634da4436 41418 virtualbox-ose-guest-utils_4.1.18-dfsg-2+deb7u4_all.deb
 d4c720ce0469ac7c5ef4d4b60bf7463dd4e229cda9409280254c75f26e5df432 41404 virtualbox-ose-fuse_4.1.18-dfsg-2+deb7u4_all.deb
Files: 
 ecf2a9df59fae317a20c5a433415b17f 4111 misc optional virtualbox_4.1.18-dfsg-2+deb7u4.dsc
 45c65d391470aee180334628e1642470 104189 misc optional virtualbox_4.1.18-dfsg-2+deb7u4.debian.tar.gz
 ae4ae0366d1bd37243d0f626dd45aa3e 4205558 misc optional virtualbox-qt_4.1.18-dfsg-2+deb7u4_amd64.deb
 d948e52cd6ca93bb248e3f9af9469626 12691188 misc optional virtualbox_4.1.18-dfsg-2+deb7u4_amd64.deb
 e2db0bf53a52af0dfda010ca3eccc457 51779400 debug extra virtualbox-dbg_4.1.18-dfsg-2+deb7u4_amd64.deb
 9e87f684875889a21776454d023327a6 498704 kernel optional virtualbox-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 e0179c6951ee377e8a34fccde5d006a8 590720 kernel optional virtualbox-source_4.1.18-dfsg-2+deb7u4_all.deb
 f4a5dd81485357e11c4ad84b452f444e 437698 kernel optional virtualbox-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 c3793e46899a0c3f9225a540c03e9dd3 525832 kernel optional virtualbox-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 4955820939d65bf1b9ddc8920069319e 853356 x11 optional virtualbox-guest-x11_4.1.18-dfsg-2+deb7u4_amd64.deb
 d0ce1441da6a7206a6491e8e8c1d6a9a 309864 misc optional virtualbox-guest-utils_4.1.18-dfsg-2+deb7u4_amd64.deb
 e84bab08f2202de433cfe1bde59f2709 43902 misc optional virtualbox-fuse_4.1.18-dfsg-2+deb7u4_amd64.deb
 5a9625500b0c285f93af73e3c7b18db8 41402 oldlibs extra virtualbox-ose-qt_4.1.18-dfsg-2+deb7u4_all.deb
 477123aa059ff4439ca0138d8c699d70 41388 oldlibs extra virtualbox-ose_4.1.18-dfsg-2+deb7u4_all.deb
 95fcfcc1d85297ff675ce079415ce8bd 41404 oldlibs extra virtualbox-ose-dbg_4.1.18-dfsg-2+deb7u4_all.deb
 b3ce048783a4ddd72f73f95f8fc05593 41404 oldlibs extra virtualbox-ose-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 a49ab94ba9c6cfa0556f957931a2f363 41406 oldlibs extra virtualbox-ose-source_4.1.18-dfsg-2+deb7u4_all.deb
 8fc2fd80f87b8fae32772435dcad5f7c 41416 oldlibs extra virtualbox-ose-guest-dkms_4.1.18-dfsg-2+deb7u4_all.deb
 b47301564f348895f34c8ecc9f309e8c 41416 oldlibs extra virtualbox-ose-guest-source_4.1.18-dfsg-2+deb7u4_all.deb
 10220161352cadbb13447e5a55ebe978 41414 oldlibs extra virtualbox-ose-guest-x11_4.1.18-dfsg-2+deb7u4_all.deb
 3d6cb8b4c6d0f273b3a7d05eb62ce31e 41418 oldlibs extra virtualbox-ose-guest-utils_4.1.18-dfsg-2+deb7u4_all.deb
 3cb6c81bc92ebc947d1d4cafeb6648cf 41404 oldlibs extra virtualbox-ose-fuse_4.1.18-dfsg-2+deb7u4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUyJnoAAoJEKY6WKPy4XVpphEP/0F35k2JBwCtZ2HVbVlP/DGw
MNiRFlQym6gVymm9KEaG7YWSYkAIofw7hYJO5cm9j03DI710KWPSV/iu0n2szHNE
jaPi/5vzIXhSFOhNrIMkth5P9oXN0eVL+UtPHuahbyjg236TI15HG6+GtO3is6OA
i5GjVtPWmh4EBfggybCihSuGBtPEbr+bGdQiRaJyfVPccLn+aU5/QP2/s3LduzL7
TXdA22fDoLqD/sVmFszqldtxjFpC18CQkNgFgGh4TMmwFqQIsGrsi6CIj8ma77Nn
cnwJFFhERmtmIwMRF4f4PzI0itsjUnAxw4503Cm6+cVpWO8bKRTqGzIpa9hU2HLW
sUA2zSPUUq/64A2soEDc2Rrddy2QsSDv+OwLQaA6lLG3KXL9ozZVYj3hFZaRPC/I
97aO1pC4hhRPE0UpnDsxMwhUb6BsQPjxSjr7uhEaD3zXnzt/3Z3+In5P5KUb2NdQ
fK82jq/JiNxqP3fdbAkf076B9ECmoduQ+LvQaf0KAZXvSGQZPDgn2GIRBkRvYd58
HZXHeJynGXoRumseRUvTXxgNYjlgXG3FV4qndYZq+Ti5aNCnr+MgEVMdlPMmp4ug
PHewSlwaxXyGlxn0KygeWMNQ3sR5hGFxgwedT2aVZalLqTL9Qnf1ahQQ162xE+ru
QicHCP+fNiglWZrB/WAm
=/Uc+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.