Bug 600214 (CVE-2016-5608, CVE-2016-5610, CVE-2016-5611, CVE-2016-5613)

Summary:	app-emulation/virtualbox-{,bin}-{5.0.28, 5.1.8}: multiple vulnerabilities (CVE-2016-{5608,5610,5611,5613})
Product:	Gentoo Security	Reporter:	Aaron Bauman (RETIRED) <bman>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	masterzorag, polynomial-c, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description Aaron Bauman (RETIRED) gentoo-dev

2016-11-19 06:22:54 UTC

CVE's inbound...

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2016-11-19 06:25:23 UTC

CVE-2016-5613 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5613):
  Unspecified vulnerability in the Oracle VM VirtualBox component before
  5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to
  affect availability via vectors related to Core, a different vulnerability
  than CVE-2016-5608.

CVE-2016-5611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5611):
  Unspecified vulnerability in the Oracle VM VirtualBox component before
  5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to
  affect confidentiality via vectors related to Core.

CVE-2016-5610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5610):
  Unspecified vulnerability in the Oracle VM VirtualBox component before
  5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to
  affect confidentiality, integrity, and availability via vectors related to
  Core.

CVE-2016-5608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5608):
  Unspecified vulnerability in the Oracle VM VirtualBox component before
  5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to
  affect availability via vectors related to Core, a different vulnerability
  than CVE-2016-5613.

Comment 2 Yury German Gentoo Infrastructure

2017-04-19 06:03:07 UTC

Vulnerable versions:
<5.0.28 and <5.1.8
Current Versions stable = 5.0.32
Vulnerable versions in tree need cleanup before closing the bug.

GLSA Vote: No

Comment 3 Yury German Gentoo Infrastructure

2017-05-27 00:40:30 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-06 14:37:10 UTC

Ping.

No updates since 05/17.

Security Team Padawan
ChrisADR

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2017-08-06 15:58:37 UTC

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05f59e1a2812c8993e88e0b517adcf59ba571286

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9db5469b1744497f69fc6532f25ba0c87c2dc8f1

Comment 6 Mart Raudsepp gentoo-dev

2017-08-06 21:20:08 UTC

The cleanup was reverted, however it seems a p.mask was added instead, so I think that constitutes as cleanup as well