[Pkg-virtualbox-devel] Bug#635276: CVE-2011-2305 / CVE-2011-2300
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 26 20:12:10 UTC 2011
On Sun, Jul 24, 2011 at 06:20:33PM +0200, Moritz Muehlenhoff wrote:
> Package: virtualbox-ose
> Version: 4.0.10-dfsg-1
> Severity: grave
> Tags: security
>
> Does this affect the versions in Debian?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2305
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2300
I asked for details on oss-security:
From: Dan Rosenberg <dan.j.rosenberg at gmail.com>
To: oss-security at lists.openwall.com
On Tue, Jul 26, 2011 at 11:19 AM, Moritz Muehlenhoff <jmm at debian.org> wrote:
> Hi,
> does anyone have further information on
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2300 and
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2305
> and whether if affects the open source version of Virtual Box?
>
These issues were found by Tarjei Mandt, and are described in this blog post:
http://mista.nu/blog/author/mista/
CVE-2011-2300 allows gaining elevated privileges within a Windows
guest due to a vulnerability in the Windows Guest Additions.
CVE-2011-2305 allows executing arbitrary code on the host due to a
vulnerability in the VirtualBox graphics stack.
Tarjei found these issues via code auditing, so it follows that they
affect the open source version of VirtualBox.
-Dan
Cheers,
Moritz
More information about the Pkg-virtualbox-devel
mailing list