{"id":"MGASA-2020-0466","summary":"Updated virtualbox packages fix security vulnerabilities","details":"Vulnerabilities in the Oracle VM VirtualBox are fixed in version 6.1.16.\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability which can lead\nto execute code in the context of the hypervisor. (CVE-2020-14872).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability.\nThe specific flaw exists within the shader_generate_main function. The issue\nresults from the lack of proper validation of user-supplied data, which can\nresult in a read past the end of an allocated buffer. An attacker can\nleverage this in conjunction with other vulnerabilities to execute code in\nthe context of the hypervisor. (CVE-2020-14881).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability.\nThe specific flaw exists within the shader_record_register_usage function.\nThe issue results from the lack of proper validation of user-supplied data,\nwhich can result in a type confusion condition. An attacker can leverage\nthis in conjunction with other vulnerabilities to execute code in the context\nof the hypervisor. (CVE-2020-14884).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability. The specific\nflaw exists within the shader_generate_main function. The issue results from\nthe lack of proper validation of user-supplied data, which can result in a\nread past the end of an allocated buffer. An attacker can leverage this in\nconjunction with other vulnerabilities to execute code in the context of the\nhypervisor. (CVE-2020-14885).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability.\nThe specific flaw exists within the shader_skip_unrecognized function. The\nissue results from the lack of proper validation of user-supplied data, which\ncan result in a read past the end of an allocated buffer. An attacker can\nleverage this in conjunction with other vulnerabilities to execute code in\nthe context of the hypervisor. (CVE-2020-14886).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability which can\nresult in unauthorized access to critical data or complete access to all\nOracle VM VirtualBox accessible data. (CVE-2020-14889).\n\nAn attacker must first obtain the ability to execute high-privileged code on\nthe target guest system in order to exploit this vulnerability which result\nin unauthorized ability to cause a hang or frequently repeatable crash\n(complete DOS) of Oracle VM VirtualBox. (CVE-2020-14892).\n\nAlso this updated version has some bugfix (See upstream Changelog).\n","modified":"2026-04-16T04:41:34.503532638Z","published":"2020-12-21T21:47:06Z","upstream":["CVE-2020-14872","CVE-2020-14881","CVE-2020-14884","CVE-2020-14885","CVE-2020-14886","CVE-2020-14889","CVE-2020-14892"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0466.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27479"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixOVIR"},{"type":"WEB","url":"https://www.virtualbox.org/wiki/Changelog-6.1#v16"}],"affected":[{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.16-4.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0466.json"}},{"package":{"name":"virtualbox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.16-4.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0466.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}