virtualbox multiple security vulnerabilities

utopic patch

Please wait until the patches are accepted into debian.

Precise is in proposed and will be released tomorrow, trusty needs some days more, I made them on top of the proposed pockets.

vivid is not affected.

https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa/
fixes available here

utopic debdiff attached, rebased on debian upload -2.

There is some noise deleted too.

can anybody please upload utopic?

The utopic-debdiff-2 changes are primarily quilt-related rather than the package sources. Can you please confirm if the other changes are correct? (I don't mind filtering out the quilt changes by hand, but I'm worried that the patch isn't complete / correct if quilt changes have crept in.)

Please note that we like to keep all our security update changelog entries standardized; the template is at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thanks

Hi Seth, the patch is good, the only real change is the set of the two variables in the rules file, since all the CVEs in utopic are related to an experimental code not yet ready for usage (cfr. Upstream as Frank on the debian bug).

Please read the debian bug, it has the full explanation and the testing done. The other CVEs doesn't affect utopic, but only < 4.3 releases.

(for the template I'll keep it in mind on my next debian security upload and cherry-pick it there)

Hi Seth:
precise moved from proposed to updates, for me precise and utopic are good to go.

also trusty moved to updates.

This bug was fixed in the package virtualbox - 4.3.18-dfsg-2ubuntu1

---------------
virtualbox (4.3.18-dfsg-2ubuntu1) utopic-security; urgency=medium

  * SECURITY UPDATE: multiple flaws in experimental video code (LP: #1413603)
    (Standardizing the lower changelog entry. -- Seth Arnold)
    - CVE-2014-6595
    - CVE-2014-6590
    - CVE-2014-6589
    - CVE-2014-6588
    - CVE-2015-0427
 -- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 14:48:07 +0100

This bug was fixed in the package virtualbox - 4.1.12-dfsg-2ubuntu0.9

---------------
virtualbox (4.1.12-dfsg-2ubuntu0.9) precise-security; urgency=medium

  [ Seth Arnold standardizing the changelog entry ]
  * SECURITY UPDATE: multiple flaws (LP: #1413603)
     - debian/patches/CVE-2015-0418.patch
     - debian/patches/CVE-2015-0377.patch
     - CVE-2015-0377
     - CVE-2015-0418

  [ Frank Mehnert ]
  * fix security vulnerabilities (Closes: #775888)
     CVE-2015-0377, CVE-2015-0418
     - debian/patches/CVE-2015-0{377,418}.patch
 -- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 14:49:47 +0100

This bug was fixed in the package virtualbox - 4.3.10-dfsg-1ubuntu2

---------------
virtualbox (4.3.10-dfsg-1ubuntu2) trusty-security; urgency=high

  [ Seth Arnold standardizing the changelog entry ]
  * SECURITY UPDATE: multiple flaws in experimental video code (LP: #1413603)
    - CVE-2014-6595
    - CVE-2014-6590
    - CVE-2014-6589
    - CVE-2014-6588
    - CVE-2015-0427

  [ Frank Mehnert ]
  * d/rules: Disable experimental code by exporting
    VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D=
    this fixes CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
    CVE-2014-6588 and CVE-2015-0427. (Closes: #775888)
 -- Gianfranco Costamagna <email address hidden> Thu, 22 Jan 2015 10:51:40 +0100

Thanks Gianfranco!

thanks to you for fixing my debdiffs, caring and uploading!