Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 245958 (CVE-2008-5256)

Summary: app-emulation/virtualbox-? Insecure temp file usage (CVE-2008-5256)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: flameeyes, jokey, swapon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504149
Whiteboard: ~3 [ebuild]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-07 13:12:48 UTC
Paul Wise of Debian wrote:
By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
overwrite any file owned by any user who starts virtualbox. Starting and
then exiting virtualbox is enough to trigger this, you don't need to
start any virtual machines.

In addition to this, it is a really stupid idea to put dotfiles in /tmp
and this should be fixed too.

In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
when exiting, which is just rude.
Comment 2 Alessio Cassibba (X-Drum) 2008-11-10 01:01:20 UTC
Thanks for pointing this out Robert,

the attached patch can be applied to 1.6.6 and 2.x ebuilds as well,
(as reported by upstream), i just updated the ebuilds on jokey's overlay.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-25 11:37:04 UTC
*** Bug 248750 has been marked as a duplicate of this bug. ***
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-25 11:42:28 UTC
jokey, are you going to merge the contents of the overlay into the tree?
Comment 5 Alessio Cassibba (X-Drum) 2008-11-26 23:01:08 UTC
virtualbox-* 2.0.6 ebuild bumped on jokey's overlay[1],
the patch is not needed for this release because upstream
already included this changes (as report on their Changelog[2]).

[1] http://overlays.gentoo.org/dev/jokey
[2] http://www.virtualbox.org/wiki/Changelog
Comment 6 stupendoussteve 2008-11-27 04:46:00 UTC
CVE-2008-5256 is out now - 
The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek
VirtualBox before 2.0.6 allows local users to overwrite arbitrary files
via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-27 15:02:25 UTC
CVE-2008-5256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5256):
  The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek
  VirtualBox before 2.0.6 allows local users to overwrite arbitrary
  files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary
  file.

Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-27 15:09:04 UTC
Whoops. I updated the topic via script and did not see your comment...
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-18 12:48:32 UTC
I've committed Alessio's ebuilds to portage just now.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 23:07:41 UTC
Closing as it's just ~3.