Summary: | <app-emulation/virtualbox{-bin}-{5.2.40,6.0.20,6.1.6}: Multiple vulnerabilities (CVE-2020-{2575,2741,2742,2743,2748,2758,2894,2902,2905,2907,2908,2909,2910,2911,2913,2914,2929,2951,2958,2959}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | asturm, polynomial-c |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=714064 https://bugs.gentoo.org/show_bug.cgi?id=717782 |
||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
=app-emulation/virtualbox-5.2.40 amd64 x86
=app-emulation/virtualbox-modules-5.2.40 amd64 x86
=app-emulation/virtualbox-guest-additions-5.2.40 amd64 x86
=app-emulation/virtualbox-extpack-oracle-5.2.40.137108 amd64 x86
=app-emulation/virtualbox-bin-5.2.40.137108 amd64 x86
=app-emulation/virtualbox-additions-5.2.40 amd64 x86
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 714064 |
Description
GLSAMaker/CVETool Bot
2020-04-15 21:25:45 UTC
CVE-2020-2914 (https://nvd.nist.gov/vuln/detail/CVE-2020-2914): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.0.20 and prior to 6.1.6. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). CVE-2020-2913 (https://nvd.nist.gov/vuln/detail/CVE-2020-2913): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.0.20 and prior to 6.1.6. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). CVE-2020-2910 (https://nvd.nist.gov/vuln/detail/CVE-2020-2910): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.0.20 and prior to 6.1.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=589205766d01dfbffb4b4e95a99aa5dfa19a0389 commit 589205766d01dfbffb4b4e95a99aa5dfa19a0389 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-04-18 14:58:56 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-04-18 15:42:02 +0000 virtualbox packages: Security bump to ver 5.2.40, 6.0.20 and 6.1.6 Bug: https://bugs.gentoo.org/717626 Closes: https://bugs.gentoo.org/715726 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-emulation/virtualbox-additions/Manifest | 3 + .../virtualbox-additions-5.2.40.ebuild | 33 ++ .../virtualbox-additions-6.0.20.ebuild | 34 ++ .../virtualbox-additions-6.1.6.ebuild | 34 ++ app-emulation/virtualbox-bin/Manifest | 10 + .../virtualbox-bin-5.2.40.137108.ebuild | 287 ++++++++++++ .../virtualbox-bin-6.0.20.137117.ebuild | 292 ++++++++++++ .../virtualbox-bin-6.1.6.137129.ebuild | 292 ++++++++++++ app-emulation/virtualbox-extpack-oracle/Manifest | 3 + .../virtualbox-extpack-oracle-5.2.40.137108.ebuild | 42 ++ .../virtualbox-extpack-oracle-6.0.20.137117.ebuild | 43 ++ .../virtualbox-extpack-oracle-6.1.6.137129.ebuild | 43 ++ app-emulation/virtualbox-guest-additions/Manifest | 4 + .../virtualbox-guest-additions-5.2.40.ebuild | 229 +++++++++ .../virtualbox-guest-additions-6.0.20.ebuild | 216 +++++++++ .../virtualbox-guest-additions-6.1.6.ebuild | 215 +++++++++ app-emulation/virtualbox-modules/Manifest | 3 + .../virtualbox-modules-5.2.40.ebuild | 59 +++ .../virtualbox-modules-6.0.20.ebuild | 55 +++ .../virtualbox-modules-6.1.6.ebuild | 55 +++ app-emulation/virtualbox/Manifest | 4 + app-emulation/virtualbox/virtualbox-5.2.40.ebuild | 496 ++++++++++++++++++++ app-emulation/virtualbox/virtualbox-6.0.20.ebuild | 511 +++++++++++++++++++++ app-emulation/virtualbox/virtualbox-6.1.6.ebuild | 507 ++++++++++++++++++++ 24 files changed, 3470 insertions(+) @maintainer(s), please advise if ready for stabilisation, or call yourself amd64 stable x86 stable @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9fcfc7c28e467a0419704b2830d4e7f2200469a commit c9fcfc7c28e467a0419704b2830d4e7f2200469a Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-04-29 08:35:41 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-04-29 08:38:52 +0000 virtualbox packages: Security cleanup Bug: https://bugs.gentoo.org/717626 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-emulation/virtualbox-additions/Manifest | 4 - .../virtualbox-additions-5.2.32.ebuild | 33 -- .../virtualbox-additions-5.2.36.ebuild | 33 -- .../virtualbox-additions-6.0.16.ebuild | 34 -- .../virtualbox-additions-6.1.4.ebuild | 34 -- app-emulation/virtualbox-bin/Manifest | 14 - .../virtualbox-bin-5.2.32.132073.ebuild | 287 ------------ .../virtualbox-bin-5.2.36.135684.ebuild | 287 ------------ .../virtualbox-bin-6.0.16.135674-r1.ebuild | 292 ------------ .../virtualbox-bin-6.1.4.136177-r1.ebuild | 292 ------------ app-emulation/virtualbox-extpack-oracle/Manifest | 4 - .../virtualbox-extpack-oracle-5.2.32.132073.ebuild | 42 -- .../virtualbox-extpack-oracle-5.2.36.135684.ebuild | 42 -- .../virtualbox-extpack-oracle-6.0.16.135674.ebuild | 43 -- .../virtualbox-extpack-oracle-6.1.4.136177.ebuild | 43 -- app-emulation/virtualbox-guest-additions/Manifest | 6 - .../virtualbox-guest-additions-5.2.32.ebuild | 229 --------- .../virtualbox-guest-additions-5.2.36.ebuild | 229 --------- .../virtualbox-guest-additions-6.0.16-r1.ebuild | 216 --------- .../virtualbox-guest-additions-6.1.4-r1.ebuild | 215 --------- app-emulation/virtualbox-modules/Manifest | 4 - .../virtualbox-modules-5.2.32.ebuild | 51 -- .../virtualbox-modules-5.2.36.ebuild | 59 --- .../virtualbox-modules-6.0.16-r1.ebuild | 55 --- .../virtualbox-modules-6.1.4-r1.ebuild | 55 --- app-emulation/virtualbox/Manifest | 6 - app-emulation/virtualbox/virtualbox-5.2.32.ebuild | 497 -------------------- app-emulation/virtualbox/virtualbox-5.2.36.ebuild | 496 -------------------- .../virtualbox/virtualbox-6.0.16-r1.ebuild | 511 --------------------- .../virtualbox/virtualbox-6.1.4-r2.ebuild | 507 -------------------- 30 files changed, 4620 deletions(-) CVE-2020-2575 (https://nvd.nist.gov/vuln/detail/CVE-2020-2575): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). *** Bug 726846 has been marked as a duplicate of this bug. *** Unable to check for sanity:
> no match for package: =app-emulation/virtualbox-modules-5.2.40
moved from https://bugs.gentoo.org/717782#c3: CVE-2020-2742: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2020-2743: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Unable to check for sanity:
> no match for package: =app-emulation/virtualbox-5.2.40
This issue was resolved and addressed in GLSA 202101-09 at https://security.gentoo.org/glsa/202101-09 by GLSA coordinator Aaron Bauman (b-man). |