Your message dated Fri, 07 Nov 2008 11:47:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504149: fixed in virtualbox-ose 1.6.6-dfsg-3
has caused the Debian Bug report #504149,
regarding virtualbox-ose: symlink vulnerability due to bad /tmp handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504149
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: virtualbox-ose
Version: 1.6.6-dfsg-2
Severity: serious
Tags: security
By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
overwrite any file owned by any user who starts virtualbox. Starting and
then exiting virtualbox is enough to trigger this, you don't need to
start any virtual machines.
In addition to this, it is a really stupid idea to put dotfiles in /tmp
and this should be fixed too.
In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
when exiting, which is just rude.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages virtualbox-ose depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libgcc1 1:4.3.2-1 GCC support library
ii libgl1-mesa-glx [libgl1] 7.0.3-6 A free implementation of the OpenG
ii libglib2.0-0 2.16.6-1 The GLib library of C routines
ii libidl0 0.8.10-0.1 library for parsing CORBA IDL file
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii libxslt1.1 1.1.24-2 XSLT processing library - runtime
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages virtualbox-ose recommends:
ii virtualbox-ose-mod 1.6.6-dfsg-2+2.6.26-8 VirtualBox modules for Linux (kern
Versions of packages virtualbox-ose suggests:
ii bridge-utils 1.4-5 Utilities for configuring the Linu
ii virtualbox-ose-source 1.6.6-dfsg-2 x86 virtualization solution - kern
-- debconf information:
* virtualbox-ose/upstream_version_change: true
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: virtualbox-ose
Source-Version: 1.6.6-dfsg-3
We believe that the bug you reported is fixed in the latest version of
virtualbox-ose, which is due to be installed in the Debian FTP archive:
virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
virtualbox-ose-source_1.6.6-dfsg-3_all.deb
to pool/main/v/virtualbox-ose/virtualbox-ose-source_1.6.6-dfsg-3_all.deb
virtualbox-ose_1.6.6-dfsg-3.diff.gz
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3.diff.gz
virtualbox-ose_1.6.6-dfsg-3.dsc
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3.dsc
virtualbox-ose_1.6.6-dfsg-3_i386.deb
to pool/main/v/virtualbox-ose/virtualbox-ose_1.6.6-dfsg-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Meskes <[EMAIL PROTECTED]> (supplier of updated virtualbox-ose package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 13 Oct 2008 16:38:47 +0200
Source: virtualbox-ose
Binary: virtualbox-ose virtualbox-ose-dbg virtualbox-ose-source
virtualbox-ose-guest-source virtualbox-ose-guest-utils
Architecture: source i386 all
Version: 1.6.6-dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian Virtualbox Team <[EMAIL PROTECTED]>
Changed-By: Michael Meskes <[EMAIL PROTECTED]>
Description:
virtualbox-ose - x86 virtualization solution - binaries
virtualbox-ose-dbg - x86 virtualization solution - debugging symbols
virtualbox-ose-guest-source - x86 virtualization solution - guest addition
module source
virtualbox-ose-guest-utils - x86 virtualization solution - guest utilities
virtualbox-ose-source - x86 virtualization solution - kernel module source
Closes: 502068 504149
Changes:
virtualbox-ose (1.6.6-dfsg-3) unstable; urgency=high
.
* Added upstream patch to support kernel 2.6.27, closes: #502068
* Added upstream patch to prevent potential symlink attack, closes: #504149
Checksums-Sha1:
3110eac6eec8bdbf153e2c4f5ed32432cfa85dc1 1874 virtualbox-ose_1.6.6-dfsg-3.dsc
3aa6f783aeaf43c2db563ec4ab8fdb417e5c2436 66455
virtualbox-ose_1.6.6-dfsg-3.diff.gz
621ca96fbd47ee4821f71b724a3d142a847c54b0 6811096
virtualbox-ose_1.6.6-dfsg-3_i386.deb
625f9f5a1d7fcacd41d2c65cabccc622e0c07235 7099166
virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
007cdc3d9c3a93a4c72f3a8003e63f8e381b0cfd 465140
virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
6534d9d282dd2901966a9d7b80410e1d380a112c 252786
virtualbox-ose-source_1.6.6-dfsg-3_all.deb
91a973a73ec8f607d5e084e2d583ff71f78cca59 253470
virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
Checksums-Sha256:
cd8a1a4f20c170e52f9010f89f7cbe04817313d478ad7e22d9042d826aa2008d 1874
virtualbox-ose_1.6.6-dfsg-3.dsc
b4ec7e42ff2c3061ec831ee8710b2b03fb28821839a13d8748e6077cf75057b0 66455
virtualbox-ose_1.6.6-dfsg-3.diff.gz
ceaeba7a08d0718dd4da1e680b85bc224ca24a33436818fe4be43062b8bbb70e 6811096
virtualbox-ose_1.6.6-dfsg-3_i386.deb
af392b2e30de153e20c086bdec1085ebe6036381448372406b64dffefd9c1e99 7099166
virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
32bd6a886c45034c230131ad52c9cd16fef432cbbd04cd8a0744a865f0c5716a 465140
virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
d882c250b053abe1b6c77d664c6145d7d52912307b0985afcfbb2922064b186d 252786
virtualbox-ose-source_1.6.6-dfsg-3_all.deb
3de52932dec0698bbb25a1bf75cda44a3cc97c2ea3e51873102f55e87648ec27 253470
virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
Files:
c71e3dbd7855ead09902f17c2a27caf8 1874 misc extra
virtualbox-ose_1.6.6-dfsg-3.dsc
bbbce57f4ab96df642fb0a77541bf4a3 66455 misc extra
virtualbox-ose_1.6.6-dfsg-3.diff.gz
84dc561cc884815d11f2c002ee97ec27 6811096 misc extra
virtualbox-ose_1.6.6-dfsg-3_i386.deb
15a44c19d73f6c06964d54a13770e80a 7099166 devel extra
virtualbox-ose-dbg_1.6.6-dfsg-3_i386.deb
a3b260ae4130ccb531b57d7428870a61 465140 misc extra
virtualbox-ose-guest-utils_1.6.6-dfsg-3_i386.deb
9b6f51cde4777067877f2c76bd85c29d 252786 misc extra
virtualbox-ose-source_1.6.6-dfsg-3_all.deb
836c9e1bf4a4428789be049a9e7ee761 253470 misc extra
virtualbox-ose-guest-source_1.6.6-dfsg-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJFCNMVkEm8inxm9ERAs8FAJ9oalYdZ3gGe/wDGK4/GkOn+KA3bwCgiUq2
6LFwJ9vrRoMNDMC9UgoVKmA=
=IXOk
-----END PGP SIGNATURE-----
--- End Message ---
