Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Aron, can you please also followup on squeeze-bpo? (might need a kbuild backport to make it build) cheers, (thanks) G. Il Martedì 27 Gennaio 2015 13:57, Aron Xu happyaron...@gmail.com ha scritto: I'll follow-up in wheezy-backports this weekend, at that time it should land in jessie already. Best, Aron On Tue, Jan 27, 2015 at 6:21 PM, Moritz Mühlenhoff j...@inutil.org wrote: On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote: On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. Please find attached the debdiff. Please give me an ACK, and then I'll do the upload. Looks good to me. Please upload to security-master, I'll take care of the update. Cheers, Moritz -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/27/2015 03:51 PM, Moritz Mühlenhoff wrote: Please find attached the debdiff. Please give me an ACK, and then I'll do the upload. Looks good to me. Please upload to security-master, I'll take care of the update. Thanks Moritz. The upload is done. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: OpenPGP digital signature
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
I'll check, if that's not too complicated I'll do it. Cheers, Aron -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/26/2015 10:51 PM, Moritz Mühlenhoff wrote:
Moritz,
For unstable, I've pushed the upload an d asked for an exception.
I've added the VMSVGA fixes to the security tracker, but there are also
two issues in Core, which apply to wheezy/jessie:
Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Frank from Oracle had mentioned that those 2 CVEs do not affect 4.3.x.
(Please see attached email).
For Wheezy, those CVE patches are included.
TO quote Frank and Gianfranco's conversation:
CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
do you have any patch for = 4.2.x then?
Attached.
--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
---BeginMessage---
Hi Gianfranco,
On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
the most CVEs from that CPU are related to the experimental VMSVGA
implementation. This code is not documented and not announced and
regular users will not use it. Therefore I suggest you to just disable
that code by setting
VBOX_WITH_VMSVGA=
VBOX_WITH_VMSVGA3D=
This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
lengthy, therefore disabling this code is IMO the best solution.
I presume starting from version 4.0 everything needs to be patched by
disabling it?
that code does only exist in VBox 4.3.x, older branches are not affected.
CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
do you have any patch for = 4.2.x then?
Attached.
4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18
These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.
4.3.20 (not affected at all I presume)
Correct, already contains fixes for all these problems.
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val MaherIndex: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95343)
@@ -1290,7 +1290,13 @@
if (rc2 == VERR_SEM_BUSY)
return (uErrorCode X86_TRAP_PF_RW) ? VINF_IOM_HC_MMIO_WRITE : VINF_IOM_HC_MMIO_READ;
#endif
-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(pVM-iom.s, GCPhysFault));
+PIOMMMIORANGE pRange = iomMMIOGetRange(pVM-iom.s, GCPhysFault);
+if (RT_UNLIKELY(!pRange))
+{
+iomUnlock(pVM);
+return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+}
+VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, pRange);
iomUnlock(pVM);
return VBOXSTRICTRC_VAL(rcStrict);
}
Index: include/VBox/hwacc_vmx.h
===
--- include/VBox/hwacc_vmx.h (revision 96156)
+++ include/VBox/hwacc_vmx.h (revision 96157)
@@ -519,6 +519,12 @@
#define VMX_EXIT_WBINVD 54
/** 55 XSETBV. Guest software attempted to execute XSETBV. */
#define VMX_EXIT_XSETBV 55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND 57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC 59
/** @} */
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96157)
@@ -4036,6 +4036,10 @@
case VMX_EXIT_VMWRITE: /* 25 Guest software executed VMWRITE. */
case VMX_EXIT_VMXOFF: /* 26 Guest software executed VMXOFF. */
case VMX_EXIT_VMXON:/* 27 Guest software executed VMXON. */
+case VMX_EXIT_INVEPT: /* 50 Guest software executed INVEPT. */
+case VMX_EXIT_INVVPID: /* 53 Guest software executed INVVPID. */
+case VMX_EXIT_INVPCID: /* 58 Guest software executed INVPCID. */
+case
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Moritz, please read carefully this thread :) Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418? jessie is not affected, and wheezy has already the patch on this thread the two CVEs are for VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28 so 4.3 not affected. Since jessie is already pending fixed, I propose to go for wheezy with the above one. cheers, G. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote: On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. Please find attached the debdiff. Please give me an ACK, and then I'll do the upload. Looks good to me. Please upload to security-master, I'll take care of the update. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On Tue, Jan 27, 2015 at 09:53:45AM +, Gianfranco Costamagna wrote: Hi Moritz, please read carefully this thread :) Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418? jessie is not affected, and wheezy has already the patch on this thread the two CVEs are for VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28 so 4.3 not affected. Since jessie is already pending fixed, I propose to go for wheezy with the above one. cheers, Thanks, I've updated the security tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
I'll follow-up in wheezy-backports this weekend, at that time it should land in jessie already. Best, Aron On Tue, Jan 27, 2015 at 6:21 PM, Moritz Mühlenhoff j...@inutil.org wrote: On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote: On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. Please find attached the debdiff. Please give me an ACK, and then I'll do the upload. Looks good to me. Please upload to security-master, I'll take care of the update. Cheers, Moritz -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com Necessity is the mother of invention. signature.asc Description: OpenPGP digital signature
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information so that we
can merge the isolated fixes into the jessie version? Cheers, Moritz
Moritz,
For unstable, I've pushed the upload an d asked for an exception.
For Wheezy, it is building right now. Once the build is complete, I'll
push it to s-p-u. And send you the debdiff.
Please find attached the debdiff. Please give me an ACK, and then I'll
do the upload.
--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
diff -Nru virtualbox-4.1.18-dfsg/debian/changelog
virtualbox-4.1.18-dfsg/debian/changelog
--- virtualbox-4.1.18-dfsg/debian/changelog 2014-04-14 14:54:39.0
+0530
+++ virtualbox-4.1.18-dfsg/debian/changelog 2015-01-26 19:07:00.0
+0530
@@ -1,3 +1,12 @@
+virtualbox (4.1.18-dfsg-2+deb7u4) wheezy-security; urgency=medium
+
+ [ Frank Mehnert ]
+ * fix security vulnerabilities (Closes: #775888)
+ CVE-2015-0377, CVE-2015-0418
+ - debian/patches/CVE-2015-0{377,418}.patch
+
+ -- Gianfranco Costamagna costamagnagianfra...@yahoo.it Thu, 22 Jan 2015
14:21:14 +0100
+
virtualbox (4.1.18-dfsg-2+deb7u3) wheezy-security; urgency=high
* Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch
virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch 1970-01-01
05:30:00.0 +0530
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch 2015-01-26
19:07:00.0 +0530
@@ -0,0 +1,20 @@
+Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
+===
+--- a/src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95342)
b/src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95343)
+@@ -1696,7 +1696,14 @@
+ if (rc2 == VERR_SEM_BUSY)
+ return VINF_IOM_HC_MMIO_READ_WRITE;
+ #endif
+-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode,
pCtxCore, GCPhysFault, iomMmioGetRange(pVM, GCPhysFault));
++PIOMMMIORANGE pRange = iomMmioGetRange(pVM, GCPhysFault);
++if (RT_UNLIKELY(!pRange))
++{
++IOM_UNLOCK(pVM);
++return VERR_IOM_MMIO_RANGE_NOT_FOUND;
++}
++
++VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode,
pCtxCore, GCPhysFault, pRange);
+ IOM_UNLOCK(pVM);
+ return VBOXSTRICTRC_VAL(rcStrict);
+ }
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch
virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch
--- virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch 1970-01-01
05:30:00.0 +0530
+++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch 2015-01-26
19:07:00.0 +0530
@@ -0,0 +1,32 @@
+Index: include/VBox/vmm/hwacc_vmx.h
+===
+--- a/include/VBox/vmm/hwacc_vmx.h (revision 96156)
b/include/VBox/vmm/hwacc_vmx.h (revision 96157)
+@@ -525,6 +525,12 @@
+ #define VMX_EXIT_WBINVD 54
+ /** 55 XSETBV. Guest software attempted to execute XSETBV. */
+ #define VMX_EXIT_XSETBV 55
++/** 57 RDRAND. Guest software attempted to execute RDRAND. */
++#define VMX_EXIT_RDRAND 57
++/** 58 INVPCID. Guest software attempted to execute INVPCID. */
++#define VMX_EXIT_INVPCID58
++/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
++#define VMX_EXIT_VMFUNC 59
+ /** @} */
+
+
+Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
+===
+--- a/src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96156)
b/src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96157)
+@@ -4112,6 +4112,10 @@
+ case VMX_EXIT_VMWRITE: /* 25 Guest software executed
VMWRITE. */
+ case VMX_EXIT_VMXOFF: /* 26 Guest software executed VMXOFF.
*/
+ case VMX_EXIT_VMXON:/* 27 Guest software executed VMXON.
*/
++case VMX_EXIT_INVEPT: /* 50 Guest software executed INVEPT.
*/
++case VMX_EXIT_INVVPID: /* 53 Guest software executed
INVVPID. */
++case VMX_EXIT_INVPCID: /* 58 Guest software executed
INVPCID. */
++case VMX_EXIT_VMFUNC: /* 59 Guest software executed VMFUNC.
*/
+ /** @todo inject #UD immediately */
+ rc = VERR_EM_INTERPRETER;
+ break;
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/series
virtualbox-4.1.18-dfsg/debian/patches/series
--- virtualbox-4.1.18-dfsg/debian/patches/series2014-04-14
14:55:14.0 +0530
+++ virtualbox-4.1.18-dfsg/debian/patches/series2015-01-26
19:07:00.0 +0530
@@ -20,3 +20,5 @@
38-security-fixes-2014-01.patch
CVE-2014-0981.patch
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On Mon, Jan 26, 2015 at 09:07:19PM +0530, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. I've added the VMSVGA fixes to the security tracker, but there are also two issues in Core, which apply to wheezy/jessie: Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418? http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi all, so to sum everything up: experimental: NOT AFFECTED. jessie: fixed all of them by disabling the code (attached jessie-debdiff) wheezy: fixed CVE-2015-0377, CVE-2015-0418 wheezy-bpo: I propose to backport the new 4.3.18 into bpo when it reaches testing. squeeze: no virtualbox there squeeze-bpo: I propose to backport kbuild and then virtualbox 4.1 or 4.3 from wheezy-jessie. Attached the debdiffs thanks again Frank for your help! cheers, Gianfranco wheezy-debdiff Description: Binary data jessie-debdiff Description: Binary data
Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi, On Wednesday 21 January 2015 18:55:40 Ritesh Raj Sarraf wrote: The recently declared CVEs for VBox have fixes mentioned only in the 4.3.20 release. Debian Jessie is frozen, and for it, we have targeted the 4.3.18 release. Do you have the broken out patches that fix the vulnerabilities ? the most CVEs from that CPU are related to the experimental VMSVGA implementation. This code is not documented and not announced and regular users will not use it. Therefore I suggest you to just disable that code by setting VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D= This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589, CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit lengthy, therefore disabling this code is IMO the best solution. CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2014-0224: this is related to OpenSSL and therefore not a problem for Linux distributions as you compile your code against the distro-specific OpenSSL implementation. Frank -- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany Hauptverwaltung: Riesstr. 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Geschäftsführer: Jürgen Kunz Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Frank, that code does only exist in VBox 4.3.x, older branches are not affected. wonderful Attached. wonderful These patches are against the latest code in the respective branches but I hope they apply to these old versions. Sorry but it's not possible to support such old versions, we only support the latest versions of a specific branch. Of course, there is absolutely no problem in adapting them :) Correct, already contains fixes for all these problems. wonderful have many thanks, Gianfranco -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote: On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote: Package: virtualbox Severity: grave Tags: security Justification: user security hole No specific details available yet: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz The following matrix is what I could grab. http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR CVE-2014-6595 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6588 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6589 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6590 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2015-0427 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2015-0418 Oracle VM VirtualBoxNoneCoreNo 2.1 Local Low None NoneNonePartial+VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28 *Notes:* 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704. 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076. 3. VMSVGA virtual graphics device is not documented and is disabled by default. @Moritz: There's nothing more detailed than the statement that all versions proior to 4.3.20 are vulnerable. 4.3.20 is in experimental right now. In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Yes. We'll talk to the upstream folks. s3nt fr0m a $martph0ne, excuse typ0s On Jan 21, 2015 1:28 PM, Moritz Muehlenhoff j...@inutil.org wrote: On Wed, Jan 21, 2015 at 01:15:53PM +0530, Ritesh Raj Sarraf wrote: On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote: Package: virtualbox Severity: grave Tags: security Justification: user security hole No specific details available yet: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz The following matrix is what I could grab. http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR CVE-2014-6595 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6588 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6589 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2014-6590 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2015-0427 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+ VirtualBox prior to 4.3.20See Note 3 CVE-2015-0418 Oracle VM VirtualBoxNoneCoreNo 2.1 Local Low None NoneNonePartial+VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28 *Notes:* 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704. 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076. 3. VMSVGA virtual graphics device is not documented and is disabled by default. @Moritz: There's nothing more detailed than the statement that all versions proior to 4.3.20 are vulnerable. 4.3.20 is in experimental right now. In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz
Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Gianfranco,
On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
the most CVEs from that CPU are related to the experimental VMSVGA
implementation. This code is not documented and not announced and
regular users will not use it. Therefore I suggest you to just disable
that code by setting
VBOX_WITH_VMSVGA=
VBOX_WITH_VMSVGA3D=
This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
lengthy, therefore disabling this code is IMO the best solution.
I presume starting from version 4.0 everything needs to be patched by
disabling it?
that code does only exist in VBox 4.3.x, older branches are not affected.
CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
do you have any patch for = 4.2.x then?
Attached.
4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18
These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.
4.3.20 (not affected at all I presume)
Correct, already contains fixes for all these problems.
Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val MaherIndex: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95343)
@@ -1290,7 +1290,13 @@
if (rc2 == VERR_SEM_BUSY)
return (uErrorCode X86_TRAP_PF_RW) ? VINF_IOM_HC_MMIO_WRITE : VINF_IOM_HC_MMIO_READ;
#endif
-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(pVM-iom.s, GCPhysFault));
+PIOMMMIORANGE pRange = iomMMIOGetRange(pVM-iom.s, GCPhysFault);
+if (RT_UNLIKELY(!pRange))
+{
+iomUnlock(pVM);
+return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+}
+VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, pRange);
iomUnlock(pVM);
return VBOXSTRICTRC_VAL(rcStrict);
}
Index: include/VBox/hwacc_vmx.h
===
--- include/VBox/hwacc_vmx.h (revision 96156)
+++ include/VBox/hwacc_vmx.h (revision 96157)
@@ -519,6 +519,12 @@
#define VMX_EXIT_WBINVD 54
/** 55 XSETBV. Guest software attempted to execute XSETBV. */
#define VMX_EXIT_XSETBV 55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND 57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC 59
/** @} */
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96157)
@@ -4036,6 +4036,10 @@
case VMX_EXIT_VMWRITE: /* 25 Guest software executed VMWRITE. */
case VMX_EXIT_VMXOFF: /* 26 Guest software executed VMXOFF. */
case VMX_EXIT_VMXON:/* 27 Guest software executed VMXON. */
+case VMX_EXIT_INVEPT: /* 50 Guest software executed INVEPT. */
+case VMX_EXIT_INVVPID: /* 53 Guest software executed INVVPID. */
+case VMX_EXIT_INVPCID: /* 58 Guest software executed INVPCID. */
+case VMX_EXIT_VMFUNC: /* 59 Guest software executed VMFUNC. */
/** @todo inject #UD immediately */
rc = VERR_EM_INTERPRETER;
break;
Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95343)
@@ -1305,7 +1305,13 @@
if (rc2 == VERR_SEM_BUSY)
return VINF_IOM_HC_MMIO_READ_WRITE;
#endif
-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(pVM-iom.s, GCPhysFault));
+PIOMMMIORANGE pRange = iomMMIOGetRange(pVM-iom.s, GCPhysFault);
+if (RT_UNLIKELY(!pRange))
+{
+iomUnlock(pVM);
+return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+}
+VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault,
Bug#775888: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Hi Frank the most CVEs from that CPU are related to the experimental VMSVGA implementation. This code is not documented and not announced and regular users will not use it. Therefore I suggest you to just disable that code by setting VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D= This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589, CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit lengthy, therefore disabling this code is IMO the best solution. I presume starting from version 4.0 everything needs to be patched by disabling it? CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older) CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older) do you have any patch for = 4.2.x then? we have in the archive (debian and ubuntu) 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18 4.3.20 (not affected at all I presume) Frank-- Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox ORACLE Deutschland B.V. Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany Hauptverwaltung: Riesstr. 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Geschäftsführer: Jürgen Kunz Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
Package: virtualbox Severity: grave Tags: security Justification: user security hole No specific details available yet: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/21/2015 12:53 PM, Moritz Muehlenhoff wrote: Package: virtualbox Severity: grave Tags: security Justification: user security hole No specific details available yet: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz The following matrix is what I could grab. http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixOVIR CVE-2014-6595 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+VirtualBox prior to 4.3.20 See Note 3 CVE-2014-6588 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+VirtualBox prior to 4.3.20 See Note 3 CVE-2014-6589 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+VirtualBox prior to 4.3.20 See Note 3 CVE-2014-6590 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+VirtualBox prior to 4.3.20 See Note 3 CVE-2015-0427 Oracle VM VirtualBoxNoneVMSVGA device No 3.2 Local Low Single NonePartial+Partial+VirtualBox prior to 4.3.20 See Note 3 CVE-2015-0418 Oracle VM VirtualBoxNoneCoreNo 2.1 Local Low NoneNoneNonePartial+VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28 *Notes:* 1. This fix also addresses CVE-2014-0231, CVE-2014-0118 and CVE-2014-5704. 2. This fix also addresses CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and CVE-2014-0076. 3. VMSVGA virtual graphics device is not documented and is disabled by default. @Moritz: There's nothing more detailed than the statement that all versions proior to 4.3.20 are vulnerable. 4.3.20 is in experimental right now. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com Necessity is the mother of invention. signature.asc Description: OpenPGP digital signature
