[vbox-dev] CVE-2015-3456 aka VENOM

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Mon May 18 16:19:39 UTC 2015

Hi Frank, as usual thanks a lot for the patch and the answer!

keep up the good work!



Il Lunedì 18 Maggio 2015 10:05, Frank Mehnert <frank.mehnert at oracle.com> ha scritto:
Hi Maxime,

On Friday 15 May 2015 11:23:15 Maxime Dor wrote:
> Could an experienced dev validate that this diff between VBox 4.3.26 &
> 4.3.28 is indeed a fix CVE-2015-3456 ? http://pastebin.com/hb5Fbwku

sorry for the slow response. Here is the link to the official Oracle report:


As stated there, the bug is fixed in VBox 4.3.28 so yes, the diff between the
source code of VBox 4.3.26 and 4.3.28 in src/VBox/Devices/Storage/DevFdc.cpp
contains the fix. For convenience I've attached the diff.

Kind regards,

Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher

vbox-dev mailing list
vbox-dev at virtualbox.org

More information about the vbox-dev mailing list