Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803134 (CVE-2021-2409, CVE-2021-2442, CVE-2021-2443, CVE-2021-2454) - <app-emulation/virtualbox-6.1.24: multiple vulnerabilties (CVE-2021-{2409,2442,2443,2454})
Summary: <app-emulation/virtualbox-6.1.24: multiple vulnerabilties (CVE-2021-{2409,244...
Status: RESOLVED FIXED
Alias: CVE-2021-2409, CVE-2021-2442, CVE-2021-2443, CVE-2021-2454
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: https://www.oracle.com/security-alert...
Whiteboard: B1 [glsa+]
Keywords:
: 803203 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-07-20 23:44 UTC by John Helmert III
Modified: 2022-08-31 23:39 UTC (History)
4 users (show)

See Also:
Package list:
app-emulation/virtualbox-6.1.24 amd64 app-emulation/virtualbox-modules-6.1.24 amd64 app-emulation/virtualbox-additions-6.1.24 amd64 app-emulation/virtualbox-extpack-oracle-6.1.24 amd64 app-emulation/virtualbox-guest-additions-6.1.24
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-20 23:44:55 UTC
CVEs apparently not public yet, but worst is CVSS 8.6. Fixes in 6.1.24, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-21 09:47:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3b158a36ef8cc038a9126b6cab7f7e3c6f9770a

commit a3b158a36ef8cc038a9126b6cab7f7e3c6f9770a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-07-21 08:59:17 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-07-21 09:47:45 +0000

    app-emulation/virtualbox*: Bump to version 6.1.24
    
    Bug: https://bugs.gentoo.org/803134
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-emulation/virtualbox-additions/Manifest        |   1 +
 .../virtualbox-additions-6.1.24.ebuild             |  34 ++
 app-emulation/virtualbox-extpack-oracle/Manifest   |   1 +
 .../virtualbox-extpack-oracle-6.1.24.ebuild        |  41 ++
 app-emulation/virtualbox-guest-additions/Manifest  |   1 +
 .../virtualbox-guest-additions-6.1.24.ebuild       | 221 +++++++++
 app-emulation/virtualbox-modules/Manifest          |   1 +
 .../virtualbox-modules-6.1.24.ebuild               |  55 +++
 app-emulation/virtualbox/Manifest                  |   1 +
 app-emulation/virtualbox/virtualbox-6.1.24.ebuild  | 502 +++++++++++++++++++++
 10 files changed, 858 insertions(+)
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-07-21 11:17:29 UTC
*** Bug 803203 has been marked as a duplicate of this bug. ***
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:20:46 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:28:52 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:36:49 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:44:51 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:52:55 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:56:50 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:00:50 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:09:08 UTC Comment hidden (obsolete)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 06:13:23 UTC
Please stabilize.
Comment 12 NATTkA bot gentoo-dev 2021-08-07 06:16:30 UTC Comment hidden (obsolete)
Comment 13 Frank Krömmelbein 2021-08-09 22:48:47 UTC
The following packages should also be stabilized then:

app-emulation/virtualbox-additions-6.1.24
app-emulation/virtualbox-extpack-oracle-6.1.24
app-emulation/virtualbox-guest-additions-6.1.24
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-09 22:50:45 UTC
(In reply to Frank Krömmelbein from comment #13)
> The following packages should also be stabilized then:
> 
> app-emulation/virtualbox-additions-6.1.24
> app-emulation/virtualbox-extpack-oracle-6.1.24
> app-emulation/virtualbox-guest-additions-6.1.24

Cheers Frank!
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-09 22:53:06 UTC
CVE-2021-2454 seems especially problematic.
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:07:30 UTC
x86 done
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-25 16:14:51 UTC
amd64 done

all arches done
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-26 19:32:09 UTC
Please cleanup.
Comment 19 NATTkA bot gentoo-dev 2021-11-06 20:56:40 UTC
Unable to check for sanity:

> no match for package: app-emulation/virtualbox-6.1.24
Comment 20 Larry the Git Cow gentoo-dev 2022-08-31 23:37:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b

commit 0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-31 23:36:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-31 23:37:06 +0000

    [ GLSA 202208-36 ] Oracle VirtualBox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/785445
    Bug: https://bugs.gentoo.org/803134
    Bug: https://bugs.gentoo.org/820425
    Bug: https://bugs.gentoo.org/831440
    Bug: https://bugs.gentoo.org/839990
    Bug: https://bugs.gentoo.org/859391
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-36.xml | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)