1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1103582: virtualbox: CVE-2025-30712 CVE-2025-30719 CVE-2025-30725

    From Salvatore Bonaccorso@21:1/5 to All on Sat Apr 19 13:30:01 2025
    Source: virtualbox
    Version: 7.0.20-dfsg-1.2
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerabilities were published for virtualbox.

    CVE-2025-30712[0]:
    | Vulnerability in the Oracle VM VirtualBox product of Oracle
    | Virtualization (component: Core). The supported version that is
    | affected is 7.1.6. Easily exploitable vulnerability allows high
    | privileged attacker with logon to the infrastructure where Oracle VM
    | VirtualBox executes to compromise Oracle VM VirtualBox. While the
    | vulnerability is in Oracle VM VirtualBox, attacks may significantly
    | impact additional products (scope change). Successful attacks of
    | this vulnerability can result in unauthorized creation, deletion or
    | modification access to critical data or all Oracle VM VirtualBox
    | accessible data as well as unauthorized access to critical data or
    | complete access to all Oracle VM VirtualBox accessible data and
    | unauthorized ability to cause a partial denial of service (partial
    | DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1
    | (Confidentiality, Integrity and Availability impacts). CVSS Vector:
    | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).


    CVE-2025-30719[1]:
    | Vulnerability in the Oracle VM VirtualBox product of Oracle
    | Virtualization (component: Core). The supported version that is
    | affected is 7.1.6. Easily exploitable vulnerability allows low
    | privileged attacker with logon to the infrastructure where Oracle VM
    | VirtualBox executes to compromise Oracle VM VirtualBox. Successful
    | attacks of this vulnerability can result in unauthorized ability to
    | cause a hang or frequently repeatable crash (complete DOS) of Oracle
    | VM VirtualBox and unauthorized read access to a subset of Oracle VM
    | VirtualBox accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality
    | and Availability impacts). CVSS Vector:
    | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H).


    CVE-2025-30725[2]:
    | Vulnerability in the Oracle VM VirtualBox product of Oracle
    | Virtualization (component: Core). The supported version that is
    | affected is 7.1.6. Difficult to exploit vulnerability allows high
    | privileged attacker with logon to the infrastructure where Oracle VM
    | VirtualBox executes to compromise Oracle VM VirtualBox. While the
    | vulnerability is in Oracle VM VirtualBox, attacks may significantly
    | impact additional products (scope change). Successful attacks of
    | this vulnerability can result in unauthorized ability to cause a
    | hang or frequently repeatable crash (complete DOS) of Oracle VM
    | VirtualBox as well as unauthorized update, insert or delete access
    | to some of Oracle VM VirtualBox accessible data and unauthorized
    | read access to a subset of Oracle VM VirtualBox accessible data.
    | CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability
    | impacts). CVSS Vector:
    | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H).


    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-30712
    https://www.cve.org/CVERecord?id=CVE-2025-30712
    [1] https://security-tracker.debian.org/tracker/CVE-2025-30719
    https://www.cve.org/CVERecord?id=CVE-2025-30719
    [2] https://security-tracker.debian.org/tracker/CVE-2025-30725
    https://www.cve.org/CVERecord?id=CVE-2025-30725

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Wed May 14 15:20:01 2025
    This is a multi-part message in MIME format...

    Your message dated Wed, 14 May 2025 13:09:03 +0000
    with message-id <E1uFBr5-00F8nx-LC@fasolo.debian.org>
    and subject line Bug#1103582: fixed in virtualbox 7.0.26-dfsg-1
    has caused the Debian Bug report #1103582,
    regarding virtualbox: CVE-2025-30712 CVE-2025-30719 CVE-2025-30725
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1103582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103582
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 19 Apr 2025 11:16:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 21; hammy, 149; neutral, 85; spammy,
    1. spammytokens:0.979-+--products hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:33114 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@de