From ${URL} : Description Multiple vulnerabilities have been reported in Oracle VirtualBox, which can be exploited by malicious, local users to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and gain escalated privileges. 1) An error within the Core subcomponent can be exploited by local users to gain escalated privileges. This vulnerability is reported in versions 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.6. 2) An error within the Core subcomponent can be exploited by local users to gain escalated privileges. 3) An error within the Core subcomponent can be exploited to disclose, update, insert, or delete certain data and to cause a crash. 4) An error within the Core subcomponent can be exploited to update, insert, or delete certain data and to cause a crash. 5) An error within the Core subcomponent can be exploited to disclose, update, insert, or delete certain data and to cause a crash. These vulnerabilities #2 through #5 are reported in versions 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4. Solution: Apply update (please see the vendor's advisory for details). Further details available to Secunia VIM customers Provided and/or discovered by: It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: Oracle: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixOVIR http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#OVIR @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable the following set of packages: =app-emulation/virtualbox-4.2.22 =app-emulation/virtualbox-additions-4.2.22 =app-emulation/virtualbox-bin-4.2.22 =app-emulation/virtualbox-extpack-oracle-4.2.22 =app-emulation/virtualbox-guest-additions-4.2.22 =app-emulation/virtualbox-modules-4.2.22 =x11-drivers/xf86-video-virtualbox-4.2.22 Target keywords are: amd64 x86 @security: There's no fixed 4.3.x version available yet.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Adding GLSA's as version 4.0.22 addresses CVE's as part of 4.0.20 (CVE-2013-5892, CVE-2014-{0404-0407})
Meant to say... adding CVE's and adding this to existing GLSA.
(In reply to Agostino Sarubbo from comment #3) > > Maintainer(s), please cleanup. Done...
This issue was resolved and addressed in GLSA 201401-13 at http://security.gentoo.org/glsa/glsa-201401-13.xml by GLSA coordinator Sergey Popov (pinkbyte).
