288836 – (CVE-2009-3692) <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBoxNetAdpCtl Configuration Tool (CVE-2009-3692)

Bug 288836 (CVE-2009-3692) - <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBoxNetAdpCtl Configuration Tool (CVE-2009-3692)

Summary: <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBox...

Status:	RESOLVED FIXED

Alias:	CVE-2009-3692

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major
Assignee:	Gentoo Security

URL:	http://sunsolve.sun.com/search/docume...
Whiteboard:	B1 [glsa]
Keywords:

Duplicates (2):	285451 289307 (view as bug list)
Depends on:	289618
Blocks:	280052
	Show dependency tree

Reported:	2009-10-13 08:29 UTC by Martin Alexander Neumann
Modified:	2010-01-13 22:14 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Alexander Neumann 2009-10-13 08:29:09 UTC

A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges.

There are no predictable symptoms to indicate this issue has been exploited to gain elevated privileges.

This issue is addressed in the following release: Sun VirtualBox 3.0.8 (for all platforms)

Reproducible: Didn't try

Comment 1 Alex Legler (RETIRED) archtester

2009-10-13 17:08:19 UTC

CVE-2009-3692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3692):
  Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in
  Sun VirtualBox 3.0.x before 3.0.8 on Solaris x86, Linux, and Mac OS X
  allows local users to gain privileges via unknown vectors.

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-16 10:34:40 UTC

What about the OSE edition?

Comment 3 Martin Alexander Neumann 2009-10-16 11:38:32 UTC

CVE-2009-3704 (http://seclists.org/oss-sec/2009/q4/43)

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-16 12:10:58 UTC

>>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
install: cannot stat `vboxwebsrv': No such file or directory
!!! doins: vboxwebsrv does not exist

USE=vboxwebsrv fails.

Comment 5 Martin Alexander Neumann 2009-10-16 12:36:42 UTC

(In reply to comment #2)
> What about the OSE edition?
> 

OSE is also affected.

Comment 6 Martin Alexander Neumann 2009-10-16 12:44:47 UTC

Opened up bug 289307 for OSE.

Comment 7 Alessio Cassibba (X-Drum) 2009-10-17 14:52:02 UTC

(In reply to comment #4)
> >>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
> install: cannot stat `vboxwebsrv': No such file or directory
> !!! doins: vboxwebsrv does not exist
> 
> USE=vboxwebsrv fails.
> 

hi, which version of net-libs/gsoap are you using?
the compilation of vboxwebsrv is often afflicted by problems on gsoap,
vboxwebsrv compiles here with net-libs/gsoap-2.7.13 (still masked)

i just updated the virtualbox-ose ebuild (3.0.8-r1) on jokey's overlay[1],
it includes fix for this and other minor issues (details on ChangeLog)

[1] http://overlays.gentoo.org/dev/jokey

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-18 23:03:33 UTC

*** Bug 289307 has been marked as a duplicate of this bug. ***

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-18 23:05:36 UTC

I added the -r1 of ose from jokey's overlay to the tree.  To be stabilised

x11-drivers/xf86-video-virtualbox
x11-drivers/xf86-input-virtualbox
app-emulation/virtualbox-ose-additions
app-emulation/virtualbox-ose
app-emulation/virtualbox-modules
app-emulation/virtualbox-guest-additions
app-emulation/virtualbox-bin

Everything in version 3.0.8

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-18 23:06:07 UTC

*** Bug 285451 has been marked as a duplicate of this bug. ***

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-18 23:13:03 UTC

(In reply to comment #9)

> Everything in version 3.0.8

 Except -r1 for ose of course.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2009-10-19 01:46:41 UTC

x86 stable

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2009-11-06 14:30:52 UTC

amd64: *ping*

Comment 14 Markus Meier gentoo-dev

2009-11-09 13:48:32 UTC

amd64 stable, all arches done.

Comment 15 Stefan Behte (RETIRED) gentoo-dev

2009-11-09 23:19:53 UTC

GLSA request filed.

Comment 16 Patrick Lauer gentoo-dev

2009-11-10 01:47:55 UTC

Old versions dropped.

Comment 17 Stefan Behte (RETIRED) gentoo-dev

2010-01-13 22:14:43 UTC

GLSA 201001-04, thanks everyone.