Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 550964

Summary: <app-emulation/virtualbox{,-bin}-4.3.28: Privilege escalation via emulated floppy disk drive (CVE-2015-3456)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: patrick, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-01 16:45:59 UTC 
From above URL:

This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). 
The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products.

Affects: VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28

Both 4.3.26 (vulnerable) and 4.3.28 (fixed) are in ~{amd64,x86}.
The current version in amd64/x86 stable is 4.3.18 (vulnerable).

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html#PatchTable
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-verbose-2542659.html#OVIR
https://www.debian.org/security/2015/dsa-3274

Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-04 13:36:45 UTC 
@Maintainers: Is 4.3.28 ready for stabilization?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:15:25 UTC 
CVE-2015-3456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456):
  The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier
  and KVM, allows local guest users to cause a denial of service
  (out-of-bounds write and guest crash) or possibly execute arbitrary code via
  the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other
  unspecified commands, aka VENOM.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 00:11:50 UTC 
This is now fixed. Current stable version in repository is =app-emulation/virtualbox{,-bin}-4.3.38 which is >4.3.28.

No vulnerable version left in tree. So nothing left to do for us.


Added to existing GLSA.

Added CVE status based on comment #2.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:45:34 UTC 
This issue was resolved and addressed in
 GLSA 201612-27 at https://security.gentoo.org/glsa/201612-27
by GLSA coordinator Kristian Fiskerstrand (K_F).