Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607674 (CVE-2016-5545, CVE-2017-3290, CVE-2017-3316, CVE-2017-3332) - <app-emulation/virtualbox-{5.0.32,5.1.14}: multiple vulnerabilities (OCPUJAN2017)
Summary: <app-emulation/virtualbox-{5.0.32,5.1.14}: multiple vulnerabilities (OCPUJAN2...
Status: RESOLVED FIXED
Alias: CVE-2016-5545, CVE-2017-3290, CVE-2017-3316, CVE-2017-3332
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/sec...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-29 22:57 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-02-14 13:09 UTC (History)
3 users (show)

See Also:
Package list:
=app-emulation/virtualbox-5.0.32 =app-emulation/virtualbox-additions-5.0.32 =app-emulation/virtualbox-bin-5.0.32.112930 =app-emulation/virtualbox-extpack-oracle-5.0.32.112930 =app-emulation/virtualbox-guest-additions-5.0.32 =app-emulation/virtualbox-modules-5.0.32 =x11-drivers/xf86-video-virtualbox-5.0.32
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 22:57:17 UTC 
Incoming CVE details.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 22:59:29 UTC 
CVE-2017-3332 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3332):
  Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
  (subcomponent: VirtualBox SVGA Emulation). Supported versions that are
  affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily
  exploitable vulnerability allows low privileged attacker with logon to the
  infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM
  VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may
  significantly impact additional products. Successful attacks of this
  vulnerability can result in unauthorized creation, deletion or modification
  access to critical data or all Oracle VM VirtualBox accessible data and
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 8.4 (Integrity
  and Availability impacts).

CVE-2017-3316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3316):
  Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
  (subcomponent: GUI). Supported versions that are affected are VirtualBox
  prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows
  high privileged attacker with network access via multiple protocols to
  compromise Oracle VM VirtualBox. Successful attacks require human
  interaction from a person other than the attacker and while the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result in
  takeover of Oracle VM VirtualBox. CVSS v3.0 Base Score 8.4 (Confidentiality,
  Integrity and Availability impacts).

CVE-2017-3290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3290):
  Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
  (subcomponent: Shared Folder). Supported versions that are affected are
  VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable
  vulnerability allows high privileged attacker with logon to the
  infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM
  VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may
  significantly impact additional products. Successful attacks of this
  vulnerability can result in unauthorized creation, deletion or modification
  access to critical data or all Oracle VM VirtualBox accessible data and
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 7.9 (Integrity
  and Availability impacts).
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 23:03:55 UTC 
CVE-2016-5545:

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: GUI). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts).
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 23:04:37 UTC 
@ Maintainer(s): Can we start stabilization of =app-emulation/virtualbox-5.0.32?
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-29 23:37:55 UTC 
Arches please test and mark stable the following list of packages:

=app-emulation/virtualbox-5.0.32
=app-emulation/virtualbox-additions-5.0.32
=app-emulation/virtualbox-bin-5.0.32.112930
=app-emulation/virtualbox-extpack-oracle-5.0.32.112930
=app-emulation/virtualbox-guest-additions-5.0.32
=app-emulation/virtualbox-modules-5.0.32
=x11-drivers/xf86-video-virtualbox-5.0.32

with target KEYWORDS:

amd64 x86
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-31 12:32:22 UTC 
Stable on amd64.
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-12 15:46:22 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 02:06:23 UTC 
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <app-emulation/virtualbox*-{5.0.32,5.1.14}!
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-02-14 12:43:21 UTC 
This issue was resolved and addressed in
 GLSA 201702-08 at https://security.gentoo.org/glsa/201702-08
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-14 12:45:49 UTC 
Re-opening for cleanup.
Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-02-14 12:58:27 UTC 
commit 1c5f318fdda1e6639e8b4eb228106904c077ff22
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Feb 14 13:56:35 2017

    virtualbox packages: Security cleanup (bug #607674).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-14 13:09:07 UTC 
@ Maintainer(s): Thank you.

All done, repository is clean.