Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505274 (CVE-2014-0981, CVE-2014-0983) - <app-emulation/virtualbox-4.3.8: 3D Acceleration Multiple Privilege Escalation Vulnerabilities (CVE-2014-{0981,0983})
Summary: <app-emulation/virtualbox-4.3.8: 3D Acceleration Multiple Privilege Escalatio...
Status: RESOLVED FIXED
Alias: CVE-2014-0981, CVE-2014-0983
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57384/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-21 16:41 UTC by Agostino Sarubbo
Modified: 2016-12-11 23:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-21 16:41:59 UTC
From ${URL} :

Description

Core Security has reported multiple vulnerabilities in Oracle VirtualBox, which can be exploited by 
malicious, local users in a guest virtual machine to gain escalated privileges.

1) An error within the "crNetRecvReadback()" function (src/VBox/GuestHost/OpenGL/util/net.c) can be 
exploited to overwrite arbitrary hypervisor memory contents.

2) Two errors within the "crNetRecvReadback()" and "crNetRecvWriteback()" functions 
(src/VBox/GuestHost/OpenGL/util/net.c) can be exploited to manipulate arbitrary hypervisor memory 
contents.

3) A boundary error within multiple generated "crServerDispatchVertexAttrib*ARB()" functions 
(src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py) can be exploited to cause a buffer 
overflow.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code with hypervisor 
privileges.

The vulnerabilities are reported in versions 4.2.20 and 4.3.6. Other versions may also be affected.


Solution:
Update to version 4.3.8.

Provided and/or discovered by:
Francisco Falcon, Core Exploit Writers Team.

Original Advisory:
Oracle VirtualBox:
https://www.virtualbox.org/changeset/50437/vbox
https://www.virtualbox.org/changeset/50441/vbox

Core Security:
http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:52:31 UTC
CVE-2014-0983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0983):
  Multiple array index errors in programs that are automatically generated by
  VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle
  VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D
  Acceleration, allow local guest OS users to execute arbitrary code on the
  Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted
  index, which are not properly handled by the (1)
  CR_VERTEXATTRIB4NUBARB_OPCODE to the crServerDispatchVertexAttrib4NubARB
  function, (2) CR_VERTEXATTRIB1DARB_OPCODE to the
  crServerDispatchVertexAttrib1dARB function, (3) CR_VERTEXATTRIB1FARB_OPCODE
  to the crServerDispatchVertexAttrib1fARB function, (4)
  CR_VERTEXATTRIB1SARB_OPCODE to the crServerDispatchVertexAttrib1sARB
  function, (5) CR_VERTEXATTRIB2DARB_OPCODE to the
  crServerDispatchVertexAttrib2dARB function, (6) CR_VERTEXATTRIB2FARB_OPCODE
  to the crServerDispatchVertexAttrib2fARB function, (7)
  CR_VERTEXATTRIB2SARB_OPCODE to the crServerDispatchVertexAttrib2sARB
  function, (8) CR_VERTEXATTRIB3DARB_OPCODE to the
  crServerDispatchVertexAttrib3dARB function, (9) CR_VERTEXATTRIB3FARB_OPCODE
  to the crServerDispatchVertexAttrib3fARB function, (10)
  CR_VERTEXATTRIB3SARB_OPCODE to the crServerDispatchVertexAttrib3sARB
  function, (11) CR_VERTEXATTRIB4DARB_OPCODE to the
  crServerDispatchVertexAttrib4dARB function, (12) CR_VERTEXATTRIB4FARB_OPCODE
  to the crServerDispatchVertexAttrib4fARB function, and (13)
  CR_VERTEXATTRIB4SARB_OPCODE to the crServerDispatchVertexAttrib4sARB
  function.

CVE-2014-0981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0981):
  VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x
  before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before
  4.3.8, when using 3D Acceleration allows local guest OS users to execute
  arbitrary code on the Chromium server via crafted Chromium network pointer
  in a (1) CR_MESSAGE_READBACK or (2) CR_MESSAGE_WRITEBACK message to the
  VBoxSharedCrOpenGL service, which triggers an arbitrary pointer dereference
  and memory corruption.  NOTE: this issue was MERGED with CVE-2014-0982
  because it is the same type of vulnerability affecting the same set of
  versions. All CVE users should reference CVE-2014-0981 instead of
  CVE-2014-0982.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-23 16:25:48 UTC
=app-emulation/virtualbox-4.3.8 hit tree via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-emulation/virtualbox/virtualbox-4.3.8.ebuild?hideattic=0&view=log

Current stable version in tree is =app-emulation/virtualbox-4.3.38 and no vulnerable version left. So all done.

Added to existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:45:19 UTC
This issue was resolved and addressed in
 GLSA 201612-27 at https://security.gentoo.org/glsa/201612-27
by GLSA coordinator Kristian Fiskerstrand (K_F).