Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>: Bug#504149; Package virtualbox-ose.
(Sat, 01 Nov 2008 06:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Sat, 01 Nov 2008 06:03:04 GMT) (full text, mbox, link).
Package: virtualbox-ose
Version: 1.6.6-dfsg-2
Severity: serious
Tags: security
By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
overwrite any file owned by any user who starts virtualbox. Starting and
then exiting virtualbox is enough to trigger this, you don't need to
start any virtual machines.
In addition to this, it is a really stupid idea to put dotfiles in /tmp
and this should be fixed too.
In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
when exiting, which is just rude.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages virtualbox-ose depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libgcc1 1:4.3.2-1 GCC support library
ii libgl1-mesa-glx [libgl1] 7.0.3-6 A free implementation of the OpenG
ii libglib2.0-0 2.16.6-1 The GLib library of C routines
ii libidl0 0.8.10-0.1 library for parsing CORBA IDL file
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii libxslt1.1 1.1.24-2 XSLT processing library - runtime
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages virtualbox-ose recommends:
ii virtualbox-ose-mod 1.6.6-dfsg-2+2.6.26-8 VirtualBox modules for Linux (kern
Versions of packages virtualbox-ose suggests:
ii bridge-utils 1.4-5 Utilities for configuring the Linu
ii virtualbox-ose-source 1.6.6-dfsg-2 x86 virtualization solution - kern
-- debconf information:
* virtualbox-ose/upstream_version_change: true
--
bye,
pabs
http://wiki.debian.org/PaulWise
Severity set to `grave' from `serious'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 01 Nov 2008 13:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>: Bug#504149; Package virtualbox-ose.
(Wed, 05 Nov 2008 10:30:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Mehnert <Frank.Mehnert@Sun.COM>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 05 Nov 2008 10:32:05 GMT) (full text, mbox, link).
Paul et all,
On Saturday 01 November 2008, Paul Wise wrote:
> By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
> overwrite any file owned by any user who starts virtualbox. Starting and
> then exiting virtualbox is enough to trigger this, you don't need to
> start any virtual machines.
Thanks for this report.
> In addition to this, it is a really stupid idea to put dotfiles in /tmp
> and this should be fixed too.
I'm not sure if this is stupid or not. At least the .vbox-* directories
are not the only .dotfile directories in /tmp.
> In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
> when exiting, which is just rude.
We will fix that later.
I hope our fix is sufficient. The changesets r13788, r13807, r13809,
r13810 should check the permissions. These changesets should apply
to 1.6.6 and 2.0 as well.
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert Sun Microsystems http://www.sun.com/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>: Bug#504149; Package virtualbox-ose.
(Wed, 05 Nov 2008 13:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Meskes <meskes@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>.
(Wed, 05 Nov 2008 13:57:04 GMT) (full text, mbox, link).
tag 504149 pending
thanks
> I hope our fix is sufficient. The changesets r13788, r13807, r13809,
> r13810 should check the permissions. These changesets should apply
> to 1.6.6 and 2.0 as well.
Thanks a lot Frank.
I just put a unified patch into our SVN, a new upload will come pretty soon.
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: meskes@jabber.org
Go VfL Borussia! Go SF 49ers! Use Debian GNU/Linux! Use PostgreSQL!
Tags added: pending
Request was from Michael Meskes <meskes@debian.org>
to control@bugs.debian.org.
(Wed, 05 Nov 2008 13:57:05 GMT) (full text, mbox, link).
Reply sent
to Michael Meskes <meskes@debian.org>:
You have taken responsibility.
(Fri, 07 Nov 2008 12:12:11 GMT) (full text, mbox, link).
Notification sent
to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Nov 2008 12:12:11 GMT) (full text, mbox, link).
Subject: Bug#504149: fixed in virtualbox-ose 1.6.6-dfsg-3
Date: Fri, 07 Nov 2008 11:47:08 +0000
Source: virtualbox-ose
Source-Version: 1.6.6-dfsg-3
We believe that the bug you reported is fixed in the latest version of
virtualbox-ose, which is due to be installed in the Debian FTP archive:
virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
virtualbox-ose-source_1.6.6-dfsg-3_all.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-source_1.6.6-dfsg-3_all.deb
virtualbox-ose_1.6.6-dfsg-3.diff.gz
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3.diff.gz
virtualbox-ose_1.6.6-dfsg-3.dsc
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3.dsc
virtualbox-ose_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Meskes <meskes@debian.org> (supplier of updated virtualbox-ose package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 13 Oct 2008 16:38:47 +0200
Source: virtualbox-ose
Binary: virtualbox-ose virtualbox-ose-dbg virtualbox-ose-source virtualbox-ose-guest-source virtualbox-ose-guest-utils
Architecture: source i386 all
Version: 1.6.6-dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Changed-By: Michael Meskes <meskes@debian.org>
Description:
virtualbox-ose - x86 virtualization solution - binaries
virtualbox-ose-dbg - x86 virtualization solution - debugging symbols
virtualbox-ose-guest-source - x86 virtualization solution - guest addition module source
virtualbox-ose-guest-utils - x86 virtualization solution - guest utilities
virtualbox-ose-source - x86 virtualization solution - kernel module source
Closes: 502068504149
Changes:
virtualbox-ose (1.6.6-dfsg-3) unstable; urgency=high
.
* Added upstream patch to support kernel 2.6.27, closes: #502068
* Added upstream patch to prevent potential symlink attack, closes: #504149
Checksums-Sha1:
3110eac6eec8bdbf153e2c4f5ed32432cfa85dc1 1874 virtualbox-ose_1.6.6-dfsg-3.dsc
3aa6f783aeaf43c2db563ec4ab8fdb417e5c2436 66455 virtualbox-ose_1.6.6-dfsg-3.diff.gz
621ca96fbd47ee4821f71b724a3d142a847c54b0 6811096 virtualbox-ose_1.6.6-dfsg-3_i386.deb
625f9f5a1d7fcacd41d2c65cabccc622e0c07235 7099166 virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
007cdc3d9c3a93a4c72f3a8003e63f8e381b0cfd 465140 virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
6534d9d282dd2901966a9d7b80410e1d380a112c 252786 virtualbox-ose-source_1.6.6-dfsg-3_all.deb
91a973a73ec8f607d5e084e2d583ff71f78cca59 253470 virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
Checksums-Sha256:
cd8a1a4f20c170e52f9010f89f7cbe04817313d478ad7e22d9042d826aa2008d 1874 virtualbox-ose_1.6.6-dfsg-3.dsc
b4ec7e42ff2c3061ec831ee8710b2b03fb28821839a13d8748e6077cf75057b0 66455 virtualbox-ose_1.6.6-dfsg-3.diff.gz
ceaeba7a08d0718dd4da1e680b85bc224ca24a33436818fe4be43062b8bbb70e 6811096 virtualbox-ose_1.6.6-dfsg-3_i386.deb
af392b2e30de153e20c086bdec1085ebe6036381448372406b64dffefd9c1e99 7099166 virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
32bd6a886c45034c230131ad52c9cd16fef432cbbd04cd8a0744a865f0c5716a 465140 virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
d882c250b053abe1b6c77d664c6145d7d52912307b0985afcfbb2922064b186d 252786 virtualbox-ose-source_1.6.6-dfsg-3_all.deb
3de52932dec0698bbb25a1bf75cda44a3cc97c2ea3e51873102f55e87648ec27 253470 virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
Files:
c71e3dbd7855ead09902f17c2a27caf8 1874 misc extra virtualbox-ose_1.6.6-dfsg-3.dsc
bbbce57f4ab96df642fb0a77541bf4a3 66455 misc extra virtualbox-ose_1.6.6-dfsg-3.diff.gz
84dc561cc884815d11f2c002ee97ec27 6811096 misc extra virtualbox-ose_1.6.6-dfsg-3_i386.deb
15a44c19d73f6c06964d54a13770e80a 7099166 devel extra virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
a3b260ae4130ccb531b57d7428870a61 465140 misc extra virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
9b6f51cde4777067877f2c76bd85c29d 252786 misc extra virtualbox-ose-source_1.6.6-dfsg-3_all.deb
836c9e1bf4a4428789be049a9e7ee761 253470 misc extra virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJFCNMVkEm8inxm9ERAs8FAJ9oalYdZ3gGe/wDGK4/GkOn+KA3bwCgiUq2
6LFwJ9vrRoMNDMC9UgoVKmA=
=IXOk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Dec 2008 07:27:33 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.