Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507824 (CVE-2014-2441) - <app-emulation/virtualbox-{bin,additions,extpack-oracle,guest-additions,modules}-4.2.24, <x11-drivers/xf86-video-virtualbox-4.2.24: Graphics Driver(WDDM) Vulnerability (CVE-2014-2441)
Summary: <app-emulation/virtualbox-{bin,additions,extpack-oracle,guest-additions,modul...
Status: RESOLVED FIXED
Alias: CVE-2014-2441
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57937/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-16 12:37 UTC by Agostino Sarubbo
Modified: 2014-08-04 19:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-16 12:37:10 UTC 
From ${URL} :

Description

A vulnerability has been reported in Oracle VM VirtualBox, which can be exploited by malicious, local users to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "Graphics driver(WDDM) for Windows guests" component and can be exploited by disclose, update, insert, or delete certain data and to cause a crash.

The vulnerability is reported in versions prior to 4.1.32, 4.2.24, and 4.3.10.


Solution:
Apply update.

Further details available to Secunia VIM customers

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2014 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixOVIR


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-04-16 12:51:37 UTC 
Arches please test and mark stable the following set of packages:

=app-emulation/virtualbox-4.2.24
=app-emulation/virtualbox-additions-4.2.24
=app-emulation/virtualbox-bin-4.2.24
=app-emulation/virtualbox-extpack-oracle-4.2.24
=app-emulation/virtualbox-guest-additions-4.2.24
=app-emulation/virtualbox-modules-4.2.24
=x11-drivers/xf86-video-virtualbox-4.2.24

Target keywords are:
amd64 x86
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:51:09 UTC 
CVE-2014-2441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2441):
  Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle
  Virtualization VirtualBox before 4.1.32, 4.2.24, and 4.3.10 allows local
  users to affect confidentiality, integrity, and availability via vectors
  related to Graphics driver (WDDM) for Windows guests.
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-08 09:44:02 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-06-08 09:44:33 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-06-17 23:14:20 UTC 
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: No
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-08-01 03:01:49 UTC 
Maintainer(s), Thank you for cleanup!
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 19:15:32 UTC 
NO too, closing. Thank you, everyone!