diff -u virtualbox-ose-4.0.4-dfsg/debian/changelog virtualbox-ose-4.0.4-dfsg/debian/changelog
--- virtualbox-ose-4.0.4-dfsg/debian/changelog
+++ virtualbox-ose-4.0.4-dfsg/debian/changelog
@@ -1,3 +1,11 @@
+virtualbox-ose (4.0.4-dfsg-1ubuntu4.1) natty-security; urgency=low
+
+  * SECURITY UPDATE: possible arbitrary code execution on the host (LP: #816874)
+    - debian/patches/31-CVE-2011-2305.patch: patch from upstream
+    - CVE-2011-2305
+
+ -- Felix Geyer <debfx-pkg@fobos.de>  Wed, 27 Jul 2011 11:45:28 +0200
+
 virtualbox-ose (4.0.4-dfsg-1ubuntu4) natty; urgency=low
 
   * Fix build failures of guest kernel modules with kernel 2.6.39-rc1.
diff -u virtualbox-ose-4.0.4-dfsg/debian/patches/series virtualbox-ose-4.0.4-dfsg/debian/patches/series
--- virtualbox-ose-4.0.4-dfsg/debian/patches/series
+++ virtualbox-ose-4.0.4-dfsg/debian/patches/series
@@ -14,0 +15 @@
+31-CVE-2011-2305.patch
only in patch2:
unchanged:
--- virtualbox-ose-4.0.4-dfsg.orig/debian/patches/31-CVE-2011-2305.patch
+++ virtualbox-ose-4.0.4-dfsg/debian/patches/31-CVE-2011-2305.patch
@@ -0,0 +1,26 @@
+Description: crOpenGL: strict offset check
+Origin: upstream, http://www.virtualbox.org/changeset/37432
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/816874
+
+Index: trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp
+===================================================================
+--- trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp (revision 36846)
++++ trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp (revision 37432)
+@@ -487,4 +487,10 @@
+             if (pBuffer->uiId == iBuffer)
+             {
++                if (pBuffer->uiSize!=cbBufferSize)
++                {
++                    LogRel(("SHARED_CROPENGL svcGetBuffer: invalid buffer(%i) size %i instead of %i\n",
++                            iBuffer, pBuffer->uiSize, cbBufferSize));
++                    return NULL;
++                }
+                 return pBuffer;
+             }
+@@ -819,5 +825,5 @@
+                 /* Execute the function. */
+                 CRVBOXSVCBUFFER_t *pSvcBuffer = svcGetBuffer(iBuffer, cbBufferSize);
+-                if (!pSvcBuffer || ui32Offset+cbBuffer>cbBufferSize)
++                if (!pSvcBuffer || ((uint64_t)ui32Offset+cbBuffer)>cbBufferSize)
+                 {
+                     rc = VERR_INVALID_PARAMETER;