Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 750782 (CVE-2020-14872, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886, CVE-2020-14889, CVE-2020-14892)

Summary: <app-emulation/virtualbox-6.1.16: Multiple vulnerabilities (CVE-2020-{14872,14881,14884,14885,14886,14889,14892})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: polynomial-c
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixMSQL
Whiteboard: A1 [glsa+ cve]
Package list:
app-emulation/virtualbox-6.1.16-r1 amd64 app-emulation/virtualbox-additions-6.1.16-r1 amd64 app-emulation/virtualbox-extpack-oracle-6.1.16.140961-r1 amd64 app-emulation/virtualbox-guest-additions-6.1.16-r1 app-emulation/virtualbox-modules-6.1.16-r1 amd64
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-23 04:22:34 UTC
Oracle's October 2020 Security Advisory lists Virtualbox as affected by several vulnerabilities, the worst of which would allow an attacker with access to the system running Virtualbox to compromise Virtualbox.

Maintainer, please proceed with stabilization when ready.
Comment 1 NATTkA bot gentoo-dev 2020-10-23 04:24:53 UTC Comment hidden (obsolete)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 07:34:37 UTC
ping
Comment 3 NATTkA bot gentoo-dev 2020-11-07 06:16:56 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2020-11-09 18:33:02 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2020-12-09 15:52:15 UTC Comment hidden (obsolete)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-09 17:39:36 UTC
Ping.
Comment 7 NATTkA bot gentoo-dev 2020-12-09 17:41:03 UTC Comment hidden (obsolete)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 07:05:21 UTC
ping
Comment 9 Frank Krömmelbein 2021-01-05 21:42:29 UTC
Ping.
In my opinion there is a too long a standstill here for a security bug.

These packages should be stabilized:

=app-emulation/virtualbox-6.1.16-r1
=app-emulation/virtualbox-additions-6.1.16-r1
=app-emulation/virtualbox-extpack-oracle-6.1.16.140961-r1
=app-emulation/virtualbox-guest-additions-6.1.16-r1
=app-emulation/virtualbox-modules-6.1.16-r1
Comment 10 NATTkA bot gentoo-dev 2021-01-05 22:17:04 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 03:09:11 UTC
amd64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 02:54:03 UTC
x86 done

all arches done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 02:58:10 UTC
Please cleanup, thanks!
Comment 14 Larry the Git Cow gentoo-dev 2021-01-19 08:22:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95b009db55b2ac18f2cdc9176d5264fed874570b

commit 95b009db55b2ac18f2cdc9176d5264fed874570b
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-19 08:22:11 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-19 08:22:28 +0000

    virtualbox packages: Security cleanup
    
    Bug: https://bugs.gentoo.org/750782
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-emulation/virtualbox-additions/Manifest        |   1 -
 .../virtualbox-additions-6.0.24-r1.ebuild          |  34 --
 app-emulation/virtualbox-extpack-oracle/Manifest   |   1 -
 ...rtualbox-extpack-oracle-6.0.24.139119-r1.ebuild |  43 --
 app-emulation/virtualbox-guest-additions/Manifest  |   2 -
 .../virtualbox-guest-additions-6.0.24-r2.ebuild    | 218 ---------
 app-emulation/virtualbox-modules/Manifest          |   1 -
 .../virtualbox-modules-6.0.24-r2.ebuild            |  55 ---
 app-emulation/virtualbox/Manifest                  |   2 -
 .../virtualbox/virtualbox-6.0.24-r1.ebuild         | 510 ---------------------
 10 files changed, 867 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-01-22 16:15:38 UTC
This issue was resolved and addressed in
 GLSA 202101-15 at https://security.gentoo.org/glsa/202101-15
by GLSA coordinator Aaron Bauman (b-man).