Paul Wise of Debian wrote: By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can overwrite any file owned by any user who starts virtualbox. Starting and then exiting virtualbox is enough to trigger this, you don't need to start any virtual machines. In addition to this, it is a really stupid idea to put dotfiles in /tmp and this should be fixed too. In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/ when exiting, which is just rude.
Patch is here: http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049
Thanks for pointing this out Robert, the attached patch can be applied to 1.6.6 and 2.x ebuilds as well, (as reported by upstream), i just updated the ebuilds on jokey's overlay.
*** Bug 248750 has been marked as a duplicate of this bug. ***
jokey, are you going to merge the contents of the overlay into the tree?
virtualbox-* 2.0.6 ebuild bumped on jokey's overlay[1], the patch is not needed for this release because upstream already included this changes (as report on their Changelog[2]). [1] http://overlays.gentoo.org/dev/jokey [2] http://www.virtualbox.org/wiki/Changelog
CVE-2008-5256 is out now - The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.
CVE-2008-5256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5256): The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualBox before 2.0.6 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-$USER-ipc/lock temporary file.
Whoops. I updated the topic via script and did not see your comment...
I've committed Alessio's ebuilds to portage just now.
Closing as it's just ~3.
