Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714064 (CVE-2019-2926, CVE-2019-2944, CVE-2019-2984, CVE-2019-3002, CVE-2019-3005, CVE-2019-3017, CVE-2019-3021, CVE-2019-3026, CVE-2019-3028, CVE-2019-3031, CVE-2020-2674, CVE-2020-2678, CVE-2020-2681, CVE-2020-2682, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2693, CVE-2020-2698, CVE-2020-2702, CVE-2020-2703, CVE-2020-2704, CVE-2020-2705, CVE-2020-2725, CVE-2020-2726, CVE-2020-2727) - <app-emulation/virtualbox{-bin}-{5.2.36,6.0.16,6.1.2}: Multiple vulnerabilities (CVE-2019-{2926,2944,2984,3002,3005,3017,3021,3026,3028,3031},CVE-2020-{2674,2678,2681,2682,2689,2690,2691,2692,2693,2698,2701,2702,2703,2704,2705,2725,2726,2727,2742,2743})
Summary: <app-emulation/virtualbox{-bin}-{5.2.36,6.0.16,6.1.2}: Multiple vulnerabiliti...
Status: RESOLVED FIXED
Alias: CVE-2019-2926, CVE-2019-2944, CVE-2019-2984, CVE-2019-3002, CVE-2019-3005, CVE-2019-3017, CVE-2019-3021, CVE-2019-3026, CVE-2019-3028, CVE-2019-3031, CVE-2020-2674, CVE-2020-2678, CVE-2020-2681, CVE-2020-2682, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2693, CVE-2020-2698, CVE-2020-2702, CVE-2020-2703, CVE-2020-2704, CVE-2020-2705, CVE-2020-2725, CVE-2020-2726, CVE-2020-2727
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve blocked]
Keywords: STABLEREQ
Depends on: CVE-2020-2575, CVE-2020-2741, CVE-2020-2742, CVE-2020-2743, CVE-2020-2748, CVE-2020-2758, CVE-2020-2894, CVE-2020-2902, CVE-2020-2905, CVE-2020-2907, CVE-2020-2908, CVE-2020-2909, CVE-2020-2910, CVE-2020-2911, CVE-2020-2913, CVE-2020-2914, CVE-2020-2929, CVE-2020-2951, CVE-2020-2958, CVE-2020-2959
Blocks:
  Show dependency tree
 
Reported: 2020-03-23 13:21 UTC by Sam James
Modified: 2021-01-12 17:57 UTC (History)
2 users (show)

See Also:
Package list:
app-emulation/virtualbox-5.2.36 app-emulation/virtualbox-modules-5.2.36 app-emulation/virtualbox-guest-additions-5.2.36 app-emulation/virtualbox-extpack-oracle-5.2.36.135684 app-emulation/virtualbox-bin-5.2.36.135684 app-emulation/virtualbox-additions-5.2.36
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-23 13:21:20 UTC
1) CVE-2020-2674

2) CVE-2020-2727

3) CVE-2020-2726

4) CVE-2020-2725

5) CVE-2020-2705

6) CVE-2020-2704

7) CVE-2020-2703

8) CVE-2020-2702

9) CVE-2020-2701

10) CVE-2020-2698

11) CVE-2020-2693

12) CVE-2020-2692

13) CVE-2020-2691

14) CVE-2020-2690

15) CVE-2020-2869

16) CVE-2020-2681

17) CVE-2020-2678

18) CVE-2019-3031

19) CVE-2019-3028

20) CVE-2019-3026

21) CVE-2019-3021

22) CVE-2019-3017

23) CVE-2019-3005

24) CVE-2019-3002

25) CVE-2019-2984

26) CVE-2019-2944

27) CVE-2019-2926

---
There are multiple security vulnerabilities here, one of the worst of which is CVE-2020-2678 (17):
"Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-23 13:23:35 UTC
@maintainer(s): the only vulnerable version still in tree is 5.2.32. Please cleanup this version.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-23 13:42:40 UTC
(In reply to sam_c (Security Padawan) from comment #1)
> @maintainer(s): the only vulnerable version still in tree is 5.2.32. Please
> cleanup this version.

Sorry, please advise if you're ready for stabilisation of a newer version, or call yourself.
Comment 3 Stabilization helper bot gentoo-dev 2020-03-25 22:00:34 UTC
An automated check of this bug failed - the following atom is unknown:

app-emulation/virtualbox-bin-5.2.36

Please verify the atom list.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 07:18:55 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:34:37 UTC
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 19:42:51 UTC
This issue was resolved and addressed in
 GLSA 202004-02 at https://security.gentoo.org/glsa/202004-02
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:43:25 UTC
Re-opening for remaining architectures.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-10 13:15:08 UTC
@x86: ping
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 00:04:43 UTC
CVE-2020-2743 (https://nvd.nist.gov/vuln/detail/CVE-2020-2743):
  Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization
  (component: Core). Supported versions that are affected are Prior to 5.2.36,
  prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows
  high privileged attacker with logon to the infrastructure where Oracle VM
  VirtualBox executes to compromise Oracle VM VirtualBox. While the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result in
  unauthorized access to critical data or complete access to all Oracle VM
  VirtualBox accessible data. CVSS 3.0 Base Score 6.0 (Confidentiality
  impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-2742 (https://nvd.nist.gov/vuln/detail/CVE-2020-2742):
  Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization
  (component: Core). Supported versions that are affected are Prior to 5.2.36,
  prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows
  high privileged attacker with logon to the infrastructure where Oracle VM
  VirtualBox executes to compromise Oracle VM VirtualBox. While the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result in
  takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality,
  Integrity and Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVE-2020-2701 (https://nvd.nist.gov/vuln/detail/CVE-2020-2701):
  Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization
  (component: Core). Supported versions that are affected are Prior to 5.2.36,
  prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability
  allows high privileged attacker with logon to the infrastructure where
  Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result in
  takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality,
  Integrity and Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 10:52:02 UTC
Removing x86 from CC. This stabilisation bug has been made obsolete by bug 717626.
Comment 11 NATTkA bot gentoo-dev 2020-04-21 10:52:53 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 12 NATTkA bot gentoo-dev 2020-04-29 08:40:43 UTC
Unable to check for sanity:

> no match for package: app-emulation/virtualbox-5.2.36
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-01-12 17:57:39 UTC
This issue was resolved and addressed in
 GLSA 202101-09 at https://security.gentoo.org/glsa/202101-09
by GLSA coordinator Aaron Bauman (b-man).