Bug 10736 - virtualbox new security issue CVE-2013-3792
: virtualbox new security issue CVE-2013-3792
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/560030/
: MGA2TOO MGA3-64-OK MGA2-64-OK MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-08 13:39 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
5 users (show)

See Also:
Source RPM: virtualbox-4.2.16-1.mga3
CVE:


Attachments

Description David Walser 2013-07-08 13:39:22 CEST
A CVE has been assigned for a problem fixed in VirtualBox 4.2.16, where the virtio network driver could hang or crash the host.  This is apparently some sort of denial of service:
http://openwall.com/lists/oss-security/2013/07/05/15

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Backlund 2013-07-08 15:35:14 CEST
Yep, I'm aware of it, which is why I fixed and pushed the cauldron build today

I will push 4.2.16 for both mga2 and mga3 as soon as core kernel update is validated / pushed on mga3
Comment 2 Thomas Backlund 2013-07-18 19:40:05 CEST
Advisory:
This virtualbox update provides the 4.2.16 maintenance release,
which fixes the following security issue:

Thomas Dreibholz has discovered a vulnerability in Oracle VirtualBox,
which can be exploited by malicious, local users in a guest virtual
machine to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error and can be
exploited to render the host network connection and the virtual machine
instance unresponsive or locking the host by issuing e.g. the "tracepath"
command.
Successful exploitation requires the target virtual machine to be
equipped with a paravirtualised network adapter (virtio-net).
(CVE-2013-3792)

For other changes in this update, see the referenced changelog.

References:
https://www.virtualbox.org/wiki/Changelog
https://www.virtualbox.org/ticket/11863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3792
https://bugs.mageia.org/show_bug.cgi?id=10736



mga2/SRPMS:
kmod-vboxadditions-4.2.16-1.mga2.src.rpm
kmod-virtualbox-4.2.16-1.mga2.src.rpm
virtualbox-4.2.16-1.mga2.src.rpm

mga2/i586:
dkms-vboxadditions-4.2.16-1.mga2.i586.rpm
dkms-virtualbox-4.2.16-1.mga2.i586.rpm
python-virtualbox-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-3.4.52-desktop586-1.mga2-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-3.4.52-netbook-1.mga2-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-3.4.52-server-1.mga2-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-desktop586-latest-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-netbook-latest-4.2.16-1.mga2.i586.rpm
vboxadditions-kernel-server-latest-4.2.16-1.mga2.i586.rpm
virtualbox-4.2.16-1.mga2.i586.rpm
virtualbox-devel-4.2.16-1.mga2.i586.rpm
virtualbox-guest-additions-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-3.4.52-desktop586-1.mga2-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-3.4.52-netbook-1.mga2-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-3.4.52-server-1.mga2-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-desktop586-latest-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-netbook-latest-4.2.16-1.mga2.i586.rpm
virtualbox-kernel-server-latest-4.2.16-1.mga2.i586.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga2.i586.rpm

mga2/x86_64:
dkms-vboxadditions-4.2.16-1.mga2.x86_64.rpm
dkms-virtualbox-4.2.16-1.mga2.x86_64.rpm
python-virtualbox-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-3.4.52-netbook-1.mga2-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-3.4.52-server-1.mga2-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-netbook-latest-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-server-latest-4.2.16-1.mga2.x86_64.rpm
virtualbox-4.2.16-1.mga2.x86_64.rpm
virtualbox-devel-4.2.16-1.mga2.x86_64.rpm
virtualbox-guest-additions-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-3.4.52-netbook-1.mga2-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-3.4.52-server-1.mga2-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-netbook-latest-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-server-latest-4.2.16-1.mga2.x86_64.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga2.x86_64.rpm



mga3/SRPMS:
kmod-vboxadditions-4.2.16-1.mga3.src.rpm
kmod-virtualbox-4.2.16-1.mga3.src.rpm
virtualbox-4.2.16-1.mga3.src.rpm

mga3/i586:
dkms-vboxadditions-4.2.16-1.mga3.noarch.rpm
dkms-virtualbox-4.2.16-1.mga3.noarch.rpm
python-virtualbox-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-3.8.13.4-desktop586-1.mga3-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-3.8.13.4-server-1.mga3-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-desktop586-latest-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga3.i586.rpm
vboxadditions-kernel-server-latest-4.2.16-1.mga3.i586.rpm
virtualbox-4.2.16-1.mga3.i586.rpm
virtualbox-devel-4.2.16-1.mga3.i586.rpm
virtualbox-guest-additions-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-3.8.13.4-desktop586-1.mga3-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-3.8.13.4-server-1.mga3-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-desktop586-latest-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga3.i586.rpm
virtualbox-kernel-server-latest-4.2.16-1.mga3.i586.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga3.i586.rpm

mga3/x86_64:
dkms-vboxadditions-4.2.16-1.mga3.noarch.rpm
dkms-virtualbox-4.2.16-1.mga3.noarch.rpm
python-virtualbox-4.2.16-1.mga3.x86_64.rpm
vboxadditions-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.x86_64.rpm
vboxadditions-kernel-3.8.13.4-server-1.mga3-4.2.16-1.mga3.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga3.x86_64.rpm
vboxadditions-kernel-server-latest-4.2.16-1.mga3.x86_64.rpm
virtualbox-4.2.16-1.mga3.x86_64.rpm
virtualbox-devel-4.2.16-1.mga3.x86_64.rpm
virtualbox-guest-additions-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-3.8.13.4-server-1.mga3-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-server-latest-4.2.16-1.mga3.x86_64.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga3.x86_64.rpm
Comment 3 Dave Hodgins 2013-07-19 22:05:35 CEST
Advisory 10736.adv added to svn
Comment 4 David GEIGER 2013-07-20 09:01:39 CEST
Testing complete mga3_64

Ok for me, nothing to report and no regression with this update.
Comment 5 David GEIGER 2013-07-20 11:55:14 CEST
Testing complete mga2_64

Ok for me, nothing to report and no regression with this update.

mga2/x86_64:
dkms-virtualbox-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga2.x86_64.rpm
virtualbox-4.2.16-1.mga2.x86_64.rpm
virtualbox-guest-additions-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-3.4.52-desktop-1.mga2-4.2.16-1.mga2.x86_64.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga2.x86_64.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga2.x86_64.rpm


mga3/x86_64:
dkms-virtualbox-4.2.16-1.mga3.noarch.rpm
vboxadditions-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.2.16-1.mga3.x86_64.rpm
virtualbox-4.2.16-1.mga3.x86_64.rpm
virtualbox-guest-additions-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-3.8.13.4-desktop-1.mga3-4.2.16-1.mga3.x86_64.rpm
virtualbox-kernel-desktop-latest-4.2.16-1.mga3.x86_64.rpm
x11-driver-video-vboxvideo-4.2.16-1.mga3.x86_64.rpm
Comment 6 William Kenney 2013-07-20 20:06:54 CEST
MGA3-32-OK

on real hardware

virtualbox-4.2.12-2.mga3.i586.rpm installed then launched from desktop icon.

Created and launched a Puppy Linux Slacko 5.5-6G client using the Live-CD iso

virtualbox-4.2.16-1.mga3.i586.rpm installed from updates_testing

Successfully relaunched the Puppy Linux Slacko 5.5-6G client using the Live-CD iso

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200

Update validated

Updated packages in core/updates_testing:
=================================

virtualbox-4.2.16-1.mga3.i586.rpm

from SRPMS:
virtualbox-4.2.16-1.mga3.src.rpm
Comment 7 David Walser 2013-07-20 22:11:37 CEST
It doesn't look like anyone has tested Mageia 2 i586 yet, so it's not validated quite yet.  Thank you for testing.
Comment 8 William Kenney 2013-07-20 22:12:44 CEST
MGA2-32-OK

on real hardware

virtualbox-4.1.12-1.mga2.i586.rpm installed then launched from desktop icon.

Created and launched a Puppy Linux Slacko 5.5-6G client using the Live-CD iso

virtualbox-4.2.16-1.mga2.i586.rpm installed from updates_testing

Successfully relaunched the Puppy Linux Slacko 5.5-6G client using the Live-CD iso

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200

Update validated

Updated packages in core/updates_testing:
=================================

virtualbox-4.2.16-1.mga2.i586.rpm

from SRPMS:
virtualbox-4.2.16-1.mga2.src.rpm
Comment 9 William Kenney 2013-07-20 22:13:46 CEST
Good to go
Comment 10 David Walser 2013-07-20 22:14:45 CEST
Thanks, now the update really is validated.

Adding the keyword, as "Advisory 10736.adv added to svn" by Dave Hodgins.
Comment 11 Nicolas Vigier 2013-07-21 12:02:04 CEST
http://advisories.mageia.org/MGASA-2013-0222.html

Note You need to log in before you can comment on or make changes to this bug.