Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 288836 (CVE-2009-3692)

Summary: <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBoxNetAdpCtl Configuration Tool (CVE-2009-3692)
Product: Gentoo Security Reporter: Martin Alexander Neumann <hotpotatorouting>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: andrey.vihrov, jokey, patrick, swapon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-268188-1
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 289618    
Bug Blocks: 280052    

Description Martin Alexander Neumann 2009-10-13 08:29:09 UTC 
A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges.

There are no predictable symptoms to indicate this issue has been exploited to gain elevated privileges.

This issue is addressed in the following release: Sun VirtualBox 3.0.8 (for all platforms)

Reproducible: Didn't try
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-13 17:08:19 UTC 
CVE-2009-3692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3692):
  Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in
  Sun VirtualBox 3.0.x before 3.0.8 on Solaris x86, Linux, and Mac OS X
  allows local users to gain privileges via unknown vectors.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-16 10:34:40 UTC 
What about the OSE edition?
Comment 3 Martin Alexander Neumann 2009-10-16 11:38:32 UTC 
CVE-2009-3704 (http://seclists.org/oss-sec/2009/q4/43)
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-16 12:10:58 UTC 
>>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
install: cannot stat `vboxwebsrv': No such file or directory
!!! doins: vboxwebsrv does not exist

USE=vboxwebsrv fails.
Comment 5 Martin Alexander Neumann 2009-10-16 12:36:42 UTC 
(In reply to comment #2)
> What about the OSE edition?
> 

OSE is also affected.
Comment 6 Martin Alexander Neumann 2009-10-16 12:44:47 UTC 
Opened up bug 289307 for OSE.
Comment 7 Alessio Cassibba (X-Drum) 2009-10-17 14:52:02 UTC 
(In reply to comment #4)
> >>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
> install: cannot stat `vboxwebsrv': No such file or directory
> !!! doins: vboxwebsrv does not exist
> 
> USE=vboxwebsrv fails.
> 

hi, which version of net-libs/gsoap are you using?
the compilation of vboxwebsrv is often afflicted by problems on gsoap,
vboxwebsrv compiles here with net-libs/gsoap-2.7.13 (still masked)

i just updated the virtualbox-ose ebuild (3.0.8-r1) on jokey's overlay[1],
it includes fix for this and other minor issues (details on ChangeLog)

[1] http://overlays.gentoo.org/dev/jokey
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:03:33 UTC 
*** Bug 289307 has been marked as a duplicate of this bug. ***
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:05:36 UTC 
I added the -r1 of ose from jokey's overlay to the tree.  To be stabilised

x11-drivers/xf86-video-virtualbox
x11-drivers/xf86-input-virtualbox
app-emulation/virtualbox-ose-additions
app-emulation/virtualbox-ose
app-emulation/virtualbox-modules
app-emulation/virtualbox-guest-additions
app-emulation/virtualbox-bin

Everything in version 3.0.8
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:06:07 UTC 
*** Bug 285451 has been marked as a duplicate of this bug. ***
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:13:03 UTC 
(In reply to comment #9)

> Everything in version 3.0.8

 Except -r1 for ose of course.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-19 01:46:41 UTC 
x86 stable
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:30:52 UTC 
amd64: *ping*
Comment 14 Markus Meier gentoo-dev 2009-11-09 13:48:32 UTC 
amd64 stable, all arches done.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-09 23:19:53 UTC 
GLSA request filed.
Comment 16 Patrick Lauer gentoo-dev 2009-11-10 01:47:55 UTC 
Old versions dropped.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:14:43 UTC 
GLSA 201001-04, thanks everyone.