Bug 200311 - [security] emulators/virtualbox-ose - CVE-2015-3456 vuxml entry
Summary: [security] emulators/virtualbox-ose - CVE-2015-3456 vuxml entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: vbox
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-18 22:10 UTC by Sevan Janiyan
Modified: 2015-05-24 07:25 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (vbox)


Attachments
security/vuxml documentation for CVE-2015-3456 fix in Virtualbox 4.3.28 (2.00 KB, patch)
2015-05-23 13:02 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-05-18 22:10:15 UTC
Package is up to date but missing a VUXML entry  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
Comment 1 Jason Unovitch freebsd_committer 2015-05-23 13:02:04 UTC
Created attachment 157080 [details]
security/vuxml documentation for CVE-2015-3456 fix in Virtualbox 4.3.28

Patch is ready to apply.  Validation steps:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit virtualbox-ose-4.3.26
virtualbox-ose-4.3.26 is vulnerable:
virtualbox-ose -- buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC)
CVE: CVE-2015-3456
WWW: http://vuxml.FreeBSD.org/freebsd/5444ce37-014a-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit virtualbox-ose-4.3.28
0 problem(s) in the installed packages found.
Comment 2 commit-hook freebsd_committer 2015-05-24 07:19:37 UTC
A commit references this bug:

Author: delphij
Date: Sun May 24 07:19:10 UTC 2015
New revision: 387249
URL: https://svnweb.freebsd.org/changeset/ports/387249

Log:
  Extend CVE-2015-3456 to cover xen-tools (4.5.0-4.5.0_5: we didn't supported
  the feature in earlier version of this port) and VirtualBox cases as well.

  PR:		200311

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Xin LI freebsd_committer 2015-05-24 07:25:18 UTC
I've added links to the main (2780e442-fc59-11e4-b18b-6805ca1d3bb1) entry to cover virtualbox-ose and xen-tools.  Thanks for your submission!