Multiple security vulnerabilities

Bug #1307725 reported by Felix Geyer on 2014-04-14
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

VirtualBox has accumulated multiple security vulnerabilities over time.
This is a bug to track the progress on fixing them (at least in precise).

Felix Geyer (debfx) on 2014-04-14
Changed in virtualbox (Ubuntu):
status: New → Invalid
Felix Geyer (debfx) wrote :

Attached is a debdiff for precise that basically takes all the security fixes from the yet-unreleased wheezy-security 4.1.18-dfsg-2+deb7u3 package.
I have performed basic functionality testing (booting Grml into graphical mode in a VM).

Marc Deslauriers (mdeslaur) wrote :

ACK on the precise debdiff, it is building now and will be released shortly.

Thanks!

Changed in virtualbox (Ubuntu Saucy):
status: New → Confirmed
Changed in virtualbox (Ubuntu Trusty):
status: Invalid → Confirmed
Changed in virtualbox (Ubuntu Quantal):
status: New → Confirmed
Changed in virtualbox (Ubuntu Precise):
status: New → Confirmed
status: Confirmed → Fix Committed
Felix Geyer (debfx) wrote :

Thanks, here is a debdiff for saucy.

Felix Geyer (debfx) wrote :

trusty has the latest VirtualBox release which is not affected by these vulnerabilities.

Changed in virtualbox (Ubuntu Trusty):
status: Confirmed → Invalid
Marc Deslauriers (mdeslaur) wrote :

Thanks for the saucy debdiff, ACK.

Uploading to the security ppa now, and will release both it and precise later today.

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.1.12-dfsg-2ubuntu0.6

---------------
virtualbox (4.1.12-dfsg-2ubuntu0.6) precise-security; urgency=medium

  * SECURITY UPDATE: Virtual graphics device user vulnerability (LP: #1307725)
    - debian/patches/CVE-2013-0420.patch: backport upstream patch
    - CVE-2013-0420
  * SECURITY UPDATE: Apply fixes from the January 2014 security advisory
    - debian/patches/38-security-fixes-2014-01.patch: backport upstream fixes
    - CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404
  * SECURITY UPDATE: Fix memory corruption vulnerabilities in 3D acceleration
    - debian/patches/CVE-2014-0981.patch, debian/patches/CVE-2014-0983.patch:
      backport fixes from version 4.0.24
    - CVE-2014-0981, CVE-2014-0983
 -- Felix Geyer <email address hidden> Mon, 14 Apr 2014 17:37:39 +0200

Changed in virtualbox (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.2.16-dfsg-3ubuntu0.1

---------------
virtualbox (4.2.16-dfsg-3ubuntu0.1) saucy-security; urgency=medium

  * SECURITY UPDATE: Apply fixes from the January 2014 security advisory
    - debian/patches/38-security-fixes-2014-01.patch: backport upstream fixes
    - CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404
    - LP: #1307725
  * SECURITY UPDATE: Fix memory corruption vulnerabilities in 3D acceleration
    - debian/patches/CVE-2014-0981.patch, debian/patches/CVE-2014-0983.patch:
      backport fixes from version 4.2.24
    - CVE-2014-0981, CVE-2014-0983
 -- Felix Geyer <email address hidden> Wed, 16 Apr 2014 10:14:18 +0200

Changed in virtualbox (Ubuntu Saucy):
status: Confirmed → Fix Released

Closing as invalid for quantal, EOL since 18 April 2014

Changed in virtualbox (Ubuntu Quantal):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers