From above URL: This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. Affects: VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 Both 4.3.26 (vulnerable) and 4.3.28 (fixed) are in ~{amd64,x86}. The current version in amd64/x86 stable is 4.3.18 (vulnerable). http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html#PatchTable http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-verbose-2542659.html#OVIR https://www.debian.org/security/2015/dsa-3274 Reproducible: Always
@Maintainers: Is 4.3.28 ready for stabilization?
CVE-2015-3456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456): The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
This is now fixed. Current stable version in repository is =app-emulation/virtualbox{,-bin}-4.3.38 which is >4.3.28. No vulnerable version left in tree. So nothing left to do for us. Added to existing GLSA. Added CVE status based on comment #2.
This issue was resolved and addressed in GLSA 201612-27 at https://security.gentoo.org/glsa/201612-27 by GLSA coordinator Kristian Fiskerstrand (K_F).