Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785445 (CVE-2021-2145, CVE-2021-2250, CVE-2021-2264, CVE-2021-2266, CVE-2021-2279, CVE-2021-2280, CVE-2021-2281, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284, CVE-2021-2285, CVE-2021-2286, CVE-2021-2287, CVE-2021-2291, CVE-2021-2296, CVE-2021-2297, CVE-2021-2306, CVE-2021-2309, CVE-2021-2310, CVE-2021-2312) - <app-emulation/virtualbox-6.1.20: multiple vulnerabilities (CPU April 2021)
Summary: <app-emulation/virtualbox-6.1.20: multiple vulnerabilities (CPU April 2021)
Status: RESOLVED FIXED
Alias: CVE-2021-2145, CVE-2021-2250, CVE-2021-2264, CVE-2021-2266, CVE-2021-2279, CVE-2021-2280, CVE-2021-2281, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284, CVE-2021-2285, CVE-2021-2286, CVE-2021-2287, CVE-2021-2291, CVE-2021-2296, CVE-2021-2297, CVE-2021-2306, CVE-2021-2309, CVE-2021-2310, CVE-2021-2312
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.oracle.com/security-alert...
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-24 18:53 UTC by John Helmert III
Modified: 2022-08-31 23:38 UTC (History)
3 users (show)

See Also:
Package list:
app-emulation/virtualbox-6.1.20-r1 amd64 app-emulation/virtualbox-additions-6.1.20 amd64 app-emulation/virtualbox-extpack-oracle-6.1.20.143896 amd64 app-emulation/virtualbox-guest-additions-6.1.20 app-emulation/virtualbox-modules-6.1.20 amd64
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-24 18:53:29 UTC
Multiple vulnerabilities reported for Virtualbox in Oracle's April 2021 CPU, the most severe of which has a CVSS score of 8.4.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-24 18:55:11 UTC
Fixes apparently in 6.1.20, please stabilize.
Comment 2 NATTkA bot gentoo-dev 2021-04-24 19:00:23 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-04-24 19:56:25 UTC Comment hidden (obsolete)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-30 23:34:37 UTC
amd64 done
Comment 5 Antti Mäkelä 2021-05-01 17:27:24 UTC
Please stabilize 6.1.22 instead of 6.1.20. 6.1.20 has regression bugs (storage and GUI), and therefore 6.1.22 was released relatively quickly after 6.1.20.

See https://www.virtualbox.org/wiki/Changelog-6.1#v22
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-06 21:21:36 UTC
x86 done

all arches done
Comment 7 NATTkA bot gentoo-dev 2021-07-21 09:48:33 UTC
Unable to check for sanity:

> no match for package: app-emulation/virtualbox-6.1.20-r1
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-28 22:48:20 UTC
CVE-2021-2264 looks like a root privilege escalation.
Comment 9 Larry the Git Cow gentoo-dev 2022-08-31 23:37:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b

commit 0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-31 23:36:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-31 23:37:06 +0000

    [ GLSA 202208-36 ] Oracle VirtualBox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/785445
    Bug: https://bugs.gentoo.org/803134
    Bug: https://bugs.gentoo.org/820425
    Bug: https://bugs.gentoo.org/831440
    Bug: https://bugs.gentoo.org/839990
    Bug: https://bugs.gentoo.org/859391
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-36.xml | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)