[vbox-dev] CVE-2015-3456 aka VENOM

Frank Mehnert frank.mehnert at oracle.com
Mon May 18 07:58:13 UTC 2015

Hi Maxime,

On Friday 15 May 2015 11:23:15 Maxime Dor wrote:
> Could an experienced dev validate that this diff between VBox 4.3.26 &
> 4.3.28 is indeed a fix CVE-2015-3456 ? http://pastebin.com/hb5Fbwku

sorry for the slow response. Here is the link to the official Oracle report:


As stated there, the bug is fixed in VBox 4.3.28 so yes, the diff between the
source code of VBox 4.3.26 and 4.3.28 in src/VBox/Devices/Storage/DevFdc.cpp
contains the fix. For convenience I've attached the diff.

Kind regards,

Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff_DevFdc
Type: text/x-patch
Size: 3299 bytes
Desc: not available
Url : http://www.virtualbox.org/pipermail/vbox-dev/attachments/20150518/0e9fcfee/attachment.bin 

More information about the vbox-dev mailing list