Ubuntu
virtualbox package

Multiple security vulnerabilities

Bug #1307725 reported by Felix Geyer
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned

Bug Description

VirtualBox has accumulated multiple security vulnerabilities over time.
This is a bug to track the progress on fixing them (at least in precise).

Felix Geyer (debfx)
Changed in virtualbox (Ubuntu):
status: New → Invalid
Revision history for this message
Felix Geyer (debfx) wrote :

Attached is a debdiff for precise that basically takes all the security fixes from the yet-unreleased wheezy-security 4.1.18-dfsg-2+deb7u3 package.
I have performed basic functionality testing (booting Grml into graphical mode in a VM).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the precise debdiff, it is building now and will be released shortly.

Thanks!

Changed in virtualbox (Ubuntu Saucy):
status: New → Confirmed
Changed in virtualbox (Ubuntu Trusty):
status: Invalid → Confirmed
Changed in virtualbox (Ubuntu Quantal):
status: New → Confirmed
Changed in virtualbox (Ubuntu Precise):
status: New → Confirmed
status: Confirmed → Fix Committed
Revision history for this message
Felix Geyer (debfx) wrote :

Thanks, here is a debdiff for saucy.

Revision history for this message
Felix Geyer (debfx) wrote :

trusty has the latest VirtualBox release which is not affected by these vulnerabilities.

Changed in virtualbox (Ubuntu Trusty):
status: Confirmed → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the saucy debdiff, ACK.

Uploading to the security ppa now, and will release both it and precise later today.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.1.12-dfsg-2ubuntu0.6

---------------
virtualbox (4.1.12-dfsg-2ubuntu0.6) precise-security; urgency=medium

  * SECURITY UPDATE: Virtual graphics device user vulnerability (LP: #1307725)
    - debian/patches/CVE-2013-0420.patch: backport upstream patch
    - CVE-2013-0420
  * SECURITY UPDATE: Apply fixes from the January 2014 security advisory
    - debian/patches/38-security-fixes-2014-01.patch: backport upstream fixes
    - CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404
  * SECURITY UPDATE: Fix memory corruption vulnerabilities in 3D acceleration
    - debian/patches/CVE-2014-0981.patch, debian/patches/CVE-2014-0983.patch:
      backport fixes from version 4.0.24
    - CVE-2014-0981, CVE-2014-0983
 -- Felix Geyer <email address hidden> Mon, 14 Apr 2014 17:37:39 +0200

Changed in virtualbox (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.2.16-dfsg-3ubuntu0.1

---------------
virtualbox (4.2.16-dfsg-3ubuntu0.1) saucy-security; urgency=medium

  * SECURITY UPDATE: Apply fixes from the January 2014 security advisory
    - debian/patches/38-security-fixes-2014-01.patch: backport upstream fixes
    - CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404
    - LP: #1307725
  * SECURITY UPDATE: Fix memory corruption vulnerabilities in 3D acceleration
    - debian/patches/CVE-2014-0981.patch, debian/patches/CVE-2014-0983.patch:
      backport fixes from version 4.2.24
    - CVE-2014-0981, CVE-2014-0983
 -- Felix Geyer <email address hidden> Wed, 16 Apr 2014 10:14:18 +0200

Changed in virtualbox (Ubuntu Saucy):
status: Confirmed → Fix Released
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Closing as invalid for quantal, EOL since 18 April 2014

Changed in virtualbox (Ubuntu Quantal):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.