Bug 399807 (CVE-2012-0111)

Summary:	<app-emulation/virtualbox{,-bin}-4.1.8 Shared Folders Information Disclosure (CVE-2012-{0105,0111})
Product:	Gentoo Security	Reporter:	Michael Harrison <n0idx80>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	amigadave, dan, mephinet, patrick, polynomial-c, swapon
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/47626/
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	403441
Bug Blocks:	401013

Description Michael Harrison 2012-01-23 08:57:06 UTC

An unspecified error in the Shared Folders component can be exploited by local users to read, update, insert, or delete certain Oracle VM VirtualBox accessible data.

The vulnerabilities are reported in version 4.1.

Solution
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixOVIR

Comment 1 Michael Harrison 2012-01-23 09:00:11 UTC

Guys, I apologize for not having better information on the upstream commit. I don't have an oracle account and the advisory/patch table gives very little information.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2012-02-02 12:18:57 UTC

Alright... I fail to find a patch for this. If anyone can provide a link to the VCS commit that includes a fix, I'd appreciate that very much.

Comment 3 Dan Beavers 2012-02-09 02:10:26 UTC

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0111 shows that
* cpe:/a:oracle:virtualization:4.1
* cpe:/a:oracle:vm_virtualbox:4.1
are vulnerable.  https://www.virtualbox.org/wiki/Changelog shows that VirtualBox 4.1.8 (released 2011-12-19) is available.  Is 4.1.8 vulnerable?

Comment 4 Dan Beavers 2012-02-10 01:54:25 UTC

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixOVIR shows 3 CVE#s: CVE-2012-0105, CVE-2012-0111, and CVE-2011-3571 that effect this issue.  The RETIRED: Oracle January 2012 Critical Patch Update Multiple Vulnerabilities at http://www.securityfocus.com/bid/51410/discuss shows that all 3 CVE#s are addressed. "Oracle has released advance notification regarding the January 2012 Critical Patch Update (CPU) to be released on January 17, 2012. The update addresses 78 vulnerabilities"  I hope this supports that 4.1.8 is not vulnerable.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2012-02-20 05:24:40 UTC

CVE-2012-0111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0111):
  Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle
  Virtualization 4.1 allows local users to affect confidentiality and
  integrity via unknown vectors related to Shared Folders.

CVE-2012-0105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0105):
  Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle
  Virtualization 4.1 allows local users to affect confidentiality, integrity,
  and availability via unknown vectors related to Windows Guest Additions.

Comment 6 Sean Amoss (RETIRED) gentoo-dev

2012-02-24 13:10:11 UTC

4.1.8 is not affected. Debian contacted upstream to verify:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659950#10

=app-emulation/virtualbox-4.1.8 and =app-emulation/virtualbox-bin-4.1.8 are being stabilized in bug 403441.

Comment 7 Tim Sammut (RETIRED) gentoo-dev

2012-04-09 13:41:01 UTC

Thanks, folks. GLSA Vote: yes.

Comment 8 Sean Amoss (RETIRED) gentoo-dev

2012-04-09 19:32:46 UTC

GLSA Vote: yes as I already had it on an existing GLSA request. :)

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2012-04-09 22:54:52 UTC

This issue was resolved and addressed in
 GLSA 201204-01 at http://security.gentoo.org/glsa/glsa-201204-01.xml
by GLSA coordinator Sean Amoss (ackle).