Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 288836 (CVE-2009-3692) - <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBoxNetAdpCtl Configuration Tool (CVE-2009-3692)
Summary: <app-emulation/virtualbox-{bin,ose}-3.0.8: Security Vulnerability in the VBox...
Status: RESOLVED FIXED
Alias: CVE-2009-3692
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://sunsolve.sun.com/search/docume...
Whiteboard: B1 [glsa]
Keywords:
: 285451 289307 (view as bug list)
Depends on: 289618
Blocks: 280052
  Show dependency tree
 
Reported: 2009-10-13 08:29 UTC by Martin Alexander Neumann
Modified: 2010-01-13 22:14 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Alexander Neumann 2009-10-13 08:29:09 UTC
A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges.

There are no predictable symptoms to indicate this issue has been exploited to gain elevated privileges.

This issue is addressed in the following release: Sun VirtualBox 3.0.8 (for all platforms)

Reproducible: Didn't try
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-13 17:08:19 UTC
CVE-2009-3692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3692):
  Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in
  Sun VirtualBox 3.0.x before 3.0.8 on Solaris x86, Linux, and Mac OS X
  allows local users to gain privileges via unknown vectors.

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-16 10:34:40 UTC
What about the OSE edition?
Comment 3 Martin Alexander Neumann 2009-10-16 11:38:32 UTC
CVE-2009-3704 (http://seclists.org/oss-sec/2009/q4/43)
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-16 12:10:58 UTC
>>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
install: cannot stat `vboxwebsrv': No such file or directory
!!! doins: vboxwebsrv does not exist

USE=vboxwebsrv fails.
Comment 5 Martin Alexander Neumann 2009-10-16 12:36:42 UTC
(In reply to comment #2)
> What about the OSE edition?
> 

OSE is also affected.
Comment 6 Martin Alexander Neumann 2009-10-16 12:44:47 UTC
Opened up bug 289307 for OSE.
Comment 7 Alessio Cassibba (X-Drum) 2009-10-17 14:52:02 UTC
(In reply to comment #4)
> >>> Install virtualbox-ose-3.0.8 into /var/tmp/portage/app-emulation/virtualbox-ose-3.0.8/image/ category app-emulation
> install: cannot stat `vboxwebsrv': No such file or directory
> !!! doins: vboxwebsrv does not exist
> 
> USE=vboxwebsrv fails.
> 

hi, which version of net-libs/gsoap are you using?
the compilation of vboxwebsrv is often afflicted by problems on gsoap,
vboxwebsrv compiles here with net-libs/gsoap-2.7.13 (still masked)

i just updated the virtualbox-ose ebuild (3.0.8-r1) on jokey's overlay[1],
it includes fix for this and other minor issues (details on ChangeLog)

[1] http://overlays.gentoo.org/dev/jokey
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:03:33 UTC
*** Bug 289307 has been marked as a duplicate of this bug. ***
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:05:36 UTC
I added the -r1 of ose from jokey's overlay to the tree.  To be stabilised

x11-drivers/xf86-video-virtualbox
x11-drivers/xf86-input-virtualbox
app-emulation/virtualbox-ose-additions
app-emulation/virtualbox-ose
app-emulation/virtualbox-modules
app-emulation/virtualbox-guest-additions
app-emulation/virtualbox-bin

Everything in version 3.0.8
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:06:07 UTC
*** Bug 285451 has been marked as a duplicate of this bug. ***
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-18 23:13:03 UTC
(In reply to comment #9)

> Everything in version 3.0.8

 Except -r1 for ose of course.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-19 01:46:41 UTC
x86 stable
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:30:52 UTC
amd64: *ping*
Comment 14 Markus Meier gentoo-dev 2009-11-09 13:48:32 UTC
amd64 stable, all arches done.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-09 23:19:53 UTC
GLSA request filed.
Comment 16 Patrick Lauer gentoo-dev 2009-11-10 01:47:55 UTC
Old versions dropped.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:14:43 UTC
GLSA 201001-04, thanks everyone.