Hi Moritz, On 14.03.2014 13:11, Moritz Muehlenhoff wrote: > Package: virtualbox > Severity: grave > Tags: security > Justification: user security hole > > Hi, > please see > http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities
Attached are tested debdiffs for squeeze- and wheezy-security. Please let me know if I can upload them to security-master. Cheers, Felix
diff -u virtualbox-ose-3.2.10-dfsg/debian/changelog virtualbox-ose-3.2.10-dfsg/debian/changelog --- virtualbox-ose-3.2.10-dfsg/debian/changelog +++ virtualbox-ose-3.2.10-dfsg/debian/changelog @@ -1,3 +1,12 @@ +virtualbox-ose (3.2.10-dfsg-1+squeeze3) squeeze-security; urgency=high + + * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602) + - CVE-2014-0981, CVE-2014-0983 + - Backport fixes from version 3.2.22 in debian/patches/CVE-2014-0981.patch + and debian/patches/CVE-2014-0983.patch + + -- Felix Geyer <fge...@debian.org> Mon, 14 Apr 2014 11:33:29 +0200 + virtualbox-ose (3.2.10-dfsg-1+squeeze2) squeeze-security; urgency=high * Apply fixes from the January 2014 security advisory. (Closes: #735410) diff -u virtualbox-ose-3.2.10-dfsg/debian/patches/series virtualbox-ose-3.2.10-dfsg/debian/patches/series --- virtualbox-ose-3.2.10-dfsg/debian/patches/series +++ virtualbox-ose-3.2.10-dfsg/debian/patches/series @@ -14,0 +15,2 @@ +CVE-2014-0981.patch +CVE-2014-0983.patch only in patch2: unchanged: --- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0981.patch +++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0981.patch @@ -0,0 +1,52 @@ +--- a/src/VBox/GuestHost/OpenGL/util/net.c ++++ b/src/VBox/GuestHost/OpenGL/util/net.c +@@ -956,7 +956,7 @@ + conn->InstantReclaim( conn, (CRMessage *) msg ); + } + +- ++#ifdef IN_GUEST + /** + * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK + * message. Writeback is used to implement glGet*() functions. +@@ -989,7 +989,7 @@ + (*writeback)--; + crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len ); + } +- ++#endif + + /** + * This is used by the SPUs that do packing (such as Pack, Tilesort and +@@ -1067,13 +1067,21 @@ + } + break; + case CR_MESSAGE_READ_PIXELS: +- crError( "Can't handle read pixels" ); ++ crWarning( "Can't handle read pixels" ); + return; + case CR_MESSAGE_WRITEBACK: ++#ifdef IN_GUEST + crNetRecvWriteback( &(pRealMsg->writeback) ); ++#else ++ crWarning("CR_MESSAGE_WRITEBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_READBACK: ++#ifdef IN_GUEST + crNetRecvReadback( &(pRealMsg->readback), len ); ++#else ++ crWarning("CR_MESSAGE_READBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_CRUT: + /* nothing */ +@@ -1091,7 +1099,7 @@ + { + char string[128]; + crBytesToString( string, sizeof(string), msg, len ); +- crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" ++ crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" + "Did you add a new message type and forget to tell " + "crNetDefaultRecv() about it?\n", + msg->header.type, string ); only in patch2: unchanged: --- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0983.patch +++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0983.patch @@ -0,0 +1,69 @@ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py +@@ -46,6 +46,7 @@ + for func_name in keys: + current = 0 + array = "" ++ condition = "" + m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -68,6 +69,7 @@ + name = "texCoord" + type = m.group(3) + m.group(2) + array = "[texture-GL_TEXTURE0_ARB]" ++ condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)" + m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -91,18 +93,23 @@ + name = string.lower( m.group(1)[:1] ) + m.group(1)[1:] + type = m.group(3) + m.group(2) + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + if func_name == "VertexAttrib4NubARB": + current = 1 + name = "vertexAttrib" + type = "ub4" + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + + if current: + params = apiutil.Parameters(func_name) + print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) ) + print '{' +- print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) +- print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t%s' % (condition) ++ print '\t{' ++ print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) ++ print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t}' + print '}\n' + + print """ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py +@@ -92,7 +92,21 @@ + rbid = (GLuint) *get_values; + *get_values = (%s) crStateRBOHWIDtoID(rbid); + } +- """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) ++ else if (GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS==pname) ++ { ++ if (CR_MAX_TEXTURE_UNITS < (GLuint)*get_values) ++ { ++ *get_values = (%s)CR_MAX_TEXTURE_UNITS; ++ } ++ } ++ else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname) ++ { ++ if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values) ++ { ++ *get_values = (%s)CR_MAX_VERTEX_ATTRIBS; ++ } ++ } ++ """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) + print '\tcrServerReturnValue( get_values, tablesize );' + print '\tcrFree(get_values);' + print '}\n'
diff -Nru virtualbox-4.1.18-dfsg/debian/changelog virtualbox-4.1.18-dfsg/debian/changelog --- virtualbox-4.1.18-dfsg/debian/changelog 2014-03-09 19:47:46.000000000 +0100 +++ virtualbox-4.1.18-dfsg/debian/changelog 2014-04-14 11:24:39.000000000 +0200 @@ -1,3 +1,12 @@ +virtualbox (4.1.18-dfsg-2+deb7u3) wheezy-security; urgency=high + + * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602) + - CVE-2014-0981, CVE-2014-0983 + - Backport fixes from version 4.1.32 in debian/patches/CVE-2014-0981.patch + and debian/patches/CVE-2014-0983.patch + + -- Felix Geyer <fge...@debian.org> Mon, 14 Apr 2014 11:19:01 +0200 + virtualbox (4.1.18-dfsg-2+deb7u2) wheezy-security; urgency=high * Apply fixes from the January 2014 security advisory. (Closes: #735410) diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch --- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0981.patch 2014-04-14 11:18:57.000000000 +0200 @@ -0,0 +1,53 @@ +diff -Nur VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c +--- VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c 2014-01-10 17:21:21.000000000 +0100 ++++ VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c 2014-03-14 08:18:19.000000000 +0100 +@@ -957,7 +957,7 @@ + conn->InstantReclaim( conn, (CRMessage *) msg ); + } + +- ++#ifdef IN_GUEST + /** + * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK + * message. Writeback is used to implement glGet*() functions. +@@ -990,7 +990,7 @@ + (*writeback)--; + crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len ); + } +- ++#endif + + /** + * This is used by the SPUs that do packing (such as Pack, Tilesort and +@@ -1068,13 +1068,21 @@ + } + break; + case CR_MESSAGE_READ_PIXELS: +- crError( "Can't handle read pixels" ); ++ crWarning( "Can't handle read pixels" ); + return; + case CR_MESSAGE_WRITEBACK: ++#ifdef IN_GUEST + crNetRecvWriteback( &(pRealMsg->writeback) ); ++#else ++ crWarning("CR_MESSAGE_WRITEBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_READBACK: ++#ifdef IN_GUEST + crNetRecvReadback( &(pRealMsg->readback), len ); ++#else ++ crWarning("CR_MESSAGE_READBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_CRUT: + /* nothing */ +@@ -1092,7 +1100,7 @@ + { + char string[128]; + crBytesToString( string, sizeof(string), msg, len ); +- crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" ++ crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" + "Did you add a new message type and forget to tell " + "crNetDefaultRecv() about it?\n", + msg->header.type, string ); diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch --- virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2014-0983.patch 2014-04-14 11:18:29.000000000 +0200 @@ -0,0 +1,62 @@ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py +@@ -46,6 +46,7 @@ + for func_name in keys: + current = 0 + array = "" ++ condition = "" + m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -68,6 +69,7 @@ + name = "texCoord" + type = m.group(3) + m.group(2) + array = "[texture-GL_TEXTURE0_ARB]" ++ condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)" + m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -91,18 +93,23 @@ + name = string.lower( m.group(1)[:1] ) + m.group(1)[1:] + type = m.group(3) + m.group(2) + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + if func_name == "VertexAttrib4NubARB": + current = 1 + name = "vertexAttrib" + type = "ub4" + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + + if current: + params = apiutil.Parameters(func_name) + print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) ) + print '{' +- print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) +- print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t%s' % (condition) ++ print '\t{' ++ print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) ++ print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t}' + print '}\n' + + print """ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py +@@ -113,7 +113,14 @@ + *get_values = (%s)CR_MAX_TEXTURE_UNITS; + } + } +- """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) ++ else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname) ++ { ++ if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values) ++ { ++ *get_values = (%s)CR_MAX_VERTEX_ATTRIBS; ++ } ++ } ++ """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) + print '\tcrServerReturnValue( get_values, tablesize );' + print '\tcrFree(get_values);' + print '}\n' diff -Nru virtualbox-4.1.18-dfsg/debian/patches/series virtualbox-4.1.18-dfsg/debian/patches/series --- virtualbox-4.1.18-dfsg/debian/patches/series 2014-01-28 21:12:08.000000000 +0100 +++ virtualbox-4.1.18-dfsg/debian/patches/series 2014-04-14 11:25:14.000000000 +0200 @@ -18,3 +18,5 @@ CVE-2013-0420.patch 37-wheezy-kernel-drm.patch 38-security-fixes-2014-01.patch +CVE-2014-0981.patch +CVE-2014-0983.patch