Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550964 - <app-emulation/virtualbox{,-bin}-4.3.28: Privilege escalation via emulated floppy disk drive (CVE-2015-3456)
Summary: <app-emulation/virtualbox{,-bin}-4.3.28: Privilege escalation via emulated fl...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/top...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-01 16:45 UTC by Sam James
Modified: 2016-12-11 23:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2015-06-01 16:45:59 UTC
From above URL:

This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). 
The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products.

Affects: VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28

Both 4.3.26 (vulnerable) and 4.3.28 (fixed) are in ~{amd64,x86}.
The current version in amd64/x86 stable is 4.3.18 (vulnerable).

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html#PatchTable
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-verbose-2542659.html#OVIR
https://www.debian.org/security/2015/dsa-3274

Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-04 13:36:45 UTC
@Maintainers: Is 4.3.28 ready for stabilization?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:15:25 UTC
CVE-2015-3456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456):
  The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier
  and KVM, allows local guest users to cause a denial of service
  (out-of-bounds write and guest crash) or possibly execute arbitrary code via
  the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other
  unspecified commands, aka VENOM.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-25 00:11:50 UTC
This is now fixed. Current stable version in repository is =app-emulation/virtualbox{,-bin}-4.3.38 which is >4.3.28.

No vulnerable version left in tree. So nothing left to do for us.


Added to existing GLSA.

Added CVE status based on comment #2.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:45:34 UTC
This issue was resolved and addressed in
 GLSA 201612-27 at https://security.gentoo.org/glsa/201612-27
by GLSA coordinator Kristian Fiskerstrand (K_F).