Bug 271141

Summary: security/vuxml: vulnerabilities for the emulators/virtualbox-ose family, 6.⋯ versions prior to 6.1.46
Product: Ports & Packages Reporter: Graham Perrin <grahamperrin>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Many People CC: fernape, groenveld, ports-secteam, vbox
Priority: Normal Keywords: security
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://www.oracle.com/security-alerts/
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266907
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272572
Attachments:
Description Flags
emulators/virtualbox-ose-6.1.44 CVE none

Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2023-05-02 10:45:20 UTC 
^Triage: reporter is committer, assign accordingly.

Tip: cd security/vuxml && make newentry CVE_ID=CVE-YYYY-NNNNN
Comment 2 Graham Perrin freebsd_committer freebsd_triage 2023-05-02 19:32:58 UTC 
In an earlier report I noted that this type of work will be better done by someone with relevant experience. Thanks.
Comment 3 Fernando Apesteguía freebsd_committer freebsd_triage 2023-05-02 20:31:40 UTC 
(In reply to Graham Perrin from comment #2)
I wonder how those other people acquired that experience... Maybe the tried *a first time*?
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2023-05-03 01:01:23 UTC 
(In reply to Fernando Apesteguía from comment #3)

Bug reports are not the place to discuss things such as this, but since I'm being pushed, here goes. 

----

I take a fairly conscientious approach to security vulnerabilities and other security issues. This approach will not extend, in the near future, to learning more about VuXML. 

I strike a balance between: 

a) the many other things that remain to be learnt – for my day job, 
   and for volunteer contributions in areas such as the FreeBSD Project

b) the need to keep myself motivated whilst sometimes deeply 
   frustrated – this means, leaning towards things that I enjoy

c) the need for appropriate learning paths – please be reminded that 
   I am dyslexic. I linked to my profile, in Phabricator, when I 
   introduced myself to developers@ after gaining a doc commit bit.

There are, simply, too many things to learn; and the Project has too few volunteers. 

Pushing me in a direction that's unwanted, when I'm already overly busy and/or frustrated in areas that are far more important (or essential) to me, will surely reduce my readiness to volunteer. 

Please consider using the next FreeBSD Project status report as a medium to call for help; and the FreeBSD Journal as a medium through which people might be taught. 

Thank you
Comment 5 Graham Perrin freebsd_committer freebsd_triage 2023-06-03 13:21:37 UTC 
With the Oracle-supported 6.1 branch <https://www.virtualbox.org/wiki/Changelog-6.1> currently at 6.1.44

As far as I can tell, from a FreeBSD-CURRENT perspective, <https://cgit.freebsd.org/ports/commit/?id=1d37fcd8316a078e512852b7c565b5b2cf2dcbcd> (2023-05-15), its cherry-pick to 2023Q2, and other 6.1-related commits negated the need to mark as FORBIDDEN. 


% uname -r
14.0-CURRENT
% pkg search virtualbox | grep -v 6.1.44
phpvirtualbox-6.1_1            AJAX Web Interface for VirtualBox
phpvirtualbox-legacy-5.2.1_2   AJAX Web Interface for VirtualBox
virtualbox-ose-additions-legacy-5.2.44_5 VirtualBox additions for FreeBSD guests
virtualbox-ose-additions-nox11-legacy-5.2.44_4 VirtualBox additions for FreeBSD guests
virtualbox-ose-kmod-legacy-5.2.44_7 VirtualBox kernel module for FreeBSD
% 


In addition: we might reasonably assume that ports of the 5.2 branch are vulnerable, however these are no longer supported by Oracle (and so, we can't expect vulnerabilities to be documented by Oracle).
Comment 6 Graham Perrin freebsd_committer freebsd_triage 2023-07-19 02:32:08 UTC 
*** Bug 272586 has been marked as a duplicate of this bug. ***
Comment 7 Graham Perrin freebsd_committer freebsd_triage 2023-07-19 02:36:12 UTC 
From the duplicate report, condensed (corrected) to a list of five: 

emulators/virtualbox-ose
emulators/virtualbox-ose-additions
emulators/virtualbox-ose-additions-nox11
emulators/virtualbox-ose-kmod
emulators/virtualbox-ose-nox11

<https://www.freshports.org/search.php?stype=name&method=match&query=virtualbox-ose&num=20&orderby=port&orderbyupdown=asc&search=Search&format=html&minimal=1&branch=head>
Comment 8 groenveld 2023-07-19 16:19:29 UTC 
Created attachment 243493 [details]
emulators/virtualbox-ose-6.1.44 CVE

I think correctly this captures the 4 CVEs.
John
groenveld@acm.rog
Comment 9 Fernando Apesteguía freebsd_committer freebsd_triage 2023-07-20 06:41:45 UTC 
Committed,

Thanks!
Comment 10 commit-hook freebsd_committer freebsd_triage 2023-07-20 06:42:20 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7be06437cf4dde2f4e096c225bebe415225f64ab

commit 7be06437cf4dde2f4e096c225bebe415225f64ab
Author:     Patrick R Groeneveld <groenveld@acm.org>
AuthorDate: 2023-07-20 06:40:26 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-07-20 06:40:26 +0000

    security/vuxml: Document vulnerabilities in emulators/virtualbox-ose*

    ChangeLog: https://www.oracle.com/security-alerts/

    PR:             271141
    Reported by:    grahamperrin@freebsd.org

 security/vuxml/vuln/2023.xml | 112 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 111 insertions(+), 1 deletion(-)
Comment 11 Graham Perrin freebsd_committer freebsd_triage 2023-07-20 16:35:20 UTC 
<https://www.oracle.com/security-alerts/cpujul2023.html#AppendixOVIR> 

The fix for bug 272572 negates the need to mark things FORBIDDEN.