Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 24 Nov 2008 22:20:20 +0100
From: Moritz Muehlenhoff <jmm@...til.org>
To: oss-security@...ts.openwall.com
Cc: cve@...re.org
Subject: Re: CVE Request: VirtualBox tmp file issue

Ludwig Nussel wrote:

> http://www.virtualbox.org/wiki/Changelog:
> VirtualBox 2.0.6
> - Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc
> 
> These changes match that description:
> http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049
> 
> VirtualBox uses /tmp/vbox-$USER-ipc to store a socket and a lock
> file. The lock file is truncated after a simple open call. AFAICS
> creating /tmp/vbox-$USER-ipc before the victim starts VirtualBox
> could therefore be exploited to create files as the victim or
> truncate files of the victim.

This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504149

(I already sent this to vendor-sec on the 7th, but the CVE
request seems to have fallen through the crack)

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ