An unspecified error in the Shared Folders component can be exploited by local users to read, update, insert, or delete certain Oracle VM VirtualBox accessible data. The vulnerabilities are reported in version 4.1. Solution Apply updates (please see the vendor's advisory for details). Provided and/or discovered by It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory Oracle: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixOVIR
Guys, I apologize for not having better information on the upstream commit. I don't have an oracle account and the advisory/patch table gives very little information.
Alright... I fail to find a patch for this. If anyone can provide a link to the VCS commit that includes a fix, I'd appreciate that very much.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0111 shows that * cpe:/a:oracle:virtualization:4.1 * cpe:/a:oracle:vm_virtualbox:4.1 are vulnerable. https://www.virtualbox.org/wiki/Changelog shows that VirtualBox 4.1.8 (released 2011-12-19) is available. Is 4.1.8 vulnerable?
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixOVIR shows 3 CVE#s: CVE-2012-0105, CVE-2012-0111, and CVE-2011-3571 that effect this issue. The RETIRED: Oracle January 2012 Critical Patch Update Multiple Vulnerabilities at http://www.securityfocus.com/bid/51410/discuss shows that all 3 CVE#s are addressed. "Oracle has released advance notification regarding the January 2012 Critical Patch Update (CPU) to be released on January 17, 2012. The update addresses 78 vulnerabilities" I hope this supports that 4.1.8 is not vulnerable.
CVE-2012-0111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0111): Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization 4.1 allows local users to affect confidentiality and integrity via unknown vectors related to Shared Folders. CVE-2012-0105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0105): Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Windows Guest Additions.
4.1.8 is not affected. Debian contacted upstream to verify: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659950#10 =app-emulation/virtualbox-4.1.8 and =app-emulation/virtualbox-bin-4.1.8 are being stabilized in bug 403441.
Thanks, folks. GLSA Vote: yes.
GLSA Vote: yes as I already had it on an existing GLSA request. :)
This issue was resolved and addressed in GLSA 201204-01 at http://security.gentoo.org/glsa/glsa-201204-01.xml by GLSA coordinator Sean Amoss (ackle).
