|Summary:||app-emulation/virtualbox-? Insecure temp file usage (CVE-2008-5256)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||trivial||CC:||flameeyes, jokey, swapon|
|Package list:||Runtime testing required:||---|
Description Robert Buchholz (RETIRED) 2008-11-07 13:12:48 UTC
Paul Wise of Debian wrote: By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can overwrite any file owned by any user who starts virtualbox. Starting and then exiting virtualbox is enough to trigger this, you don't need to start any virtual machines. In addition to this, it is a really stupid idea to put dotfiles in /tmp and this should be fixed too. In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/ when exiting, which is just rude.
Comment 1 Robert Buchholz (RETIRED) 2008-11-07 15:12:41 UTC
Comment 2 Alessio Cassibba (X-Drum) 2008-11-10 01:01:20 UTC
Thanks for pointing this out Robert, the attached patch can be applied to 1.6.6 and 2.x ebuilds as well, (as reported by upstream), i just updated the ebuilds on jokey's overlay.
Comment 3 Robert Buchholz (RETIRED) 2008-11-25 11:37:04 UTC
*** Bug 248750 has been marked as a duplicate of this bug. ***
Comment 4 Robert Buchholz (RETIRED) 2008-11-25 11:42:28 UTC
jokey, are you going to merge the contents of the overlay into the tree?
Comment 5 Alessio Cassibba (X-Drum) 2008-11-26 23:01:08 UTC
virtualbox-* 2.0.6 ebuild bumped on jokey's overlay, the patch is not needed for this release because upstream already included this changes (as report on their Changelog).  http://overlays.gentoo.org/dev/jokey  http://www.virtualbox.org/wiki/Changelog
Comment 6 stupendoussteve 2008-11-27 04:46:00 UTC
CVE-2008-5256 is out now - The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.
Comment 7 Stefan Behte (RETIRED) 2008-11-27 15:02:25 UTC
CVE-2008-5256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5256): The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.
Comment 8 Stefan Behte (RETIRED) 2008-11-27 15:09:04 UTC
Whoops. I updated the topic via script and did not see your comment...
Comment 9 Diego Elio Pettenò (RETIRED) 2008-12-18 12:48:32 UTC
I've committed Alessio's ebuilds to portage just now.
Comment 10 Stefan Behte (RETIRED) 2009-01-05 23:07:41 UTC
Closing as it's just ~3.