Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399807 (CVE-2012-0111) - <app-emulation/virtualbox{,-bin}-4.1.8 Shared Folders Information Disclosure (CVE-2012-{0105,0111})
Summary: <app-emulation/virtualbox{,-bin}-4.1.8 Shared Folders Information Disclosure ...
Alias: CVE-2012-0111
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 403441
Blocks: 401013
  Show dependency tree
Reported: 2012-01-23 08:57 UTC by Michael Harrison
Modified: 2013-10-06 15:35 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-01-23 08:57:06 UTC
An unspecified error in the Shared Folders component can be exploited by local users to read, update, insert, or delete certain Oracle VM VirtualBox accessible data.

The vulnerabilities are reported in version 4.1.

Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory
Comment 1 Michael Harrison 2012-01-23 09:00:11 UTC
Guys, I apologize for not having better information on the upstream commit. I don't have an oracle account and the advisory/patch table gives very little information.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-02-02 12:18:57 UTC
Alright... I fail to find a patch for this. If anyone can provide a link to the VCS commit that includes a fix, I'd appreciate that very much.
Comment 3 Dan Beavers 2012-02-09 02:10:26 UTC shows that
* cpe:/a:oracle:virtualization:4.1
* cpe:/a:oracle:vm_virtualbox:4.1
are vulnerable. shows that VirtualBox 4.1.8 (released 2011-12-19) is available.  Is 4.1.8 vulnerable?
Comment 4 Dan Beavers 2012-02-10 01:54:25 UTC shows 3 CVE#s: CVE-2012-0105, CVE-2012-0111, and CVE-2011-3571 that effect this issue.  The RETIRED: Oracle January 2012 Critical Patch Update Multiple Vulnerabilities at shows that all 3 CVE#s are addressed. "Oracle has released advance notification regarding the January 2012 Critical Patch Update (CPU) to be released on January 17, 2012. The update addresses 78 vulnerabilities"  I hope this supports that 4.1.8 is not vulnerable.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:24:40 UTC
CVE-2012-0111 (
  Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle
  Virtualization 4.1 allows local users to affect confidentiality and
  integrity via unknown vectors related to Shared Folders.

CVE-2012-0105 (
  Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle
  Virtualization 4.1 allows local users to affect confidentiality, integrity,
  and availability via unknown vectors related to Windows Guest Additions.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-24 13:10:11 UTC
4.1.8 is not affected. Debian contacted upstream to verify:

=app-emulation/virtualbox-4.1.8 and =app-emulation/virtualbox-bin-4.1.8 are being stabilized in bug 403441.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-04-09 13:41:01 UTC
Thanks, folks. GLSA Vote: yes.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-09 19:32:46 UTC
GLSA Vote: yes as I already had it on an existing GLSA request. :)
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-04-09 22:54:52 UTC
This issue was resolved and addressed in
 GLSA 201204-01 at
by GLSA coordinator Sean Amoss (ackle).