VirtualBox is affected in a different/partial way. Summary: Patch to 4.3.28, released today.
The vulnerability is not mentioned explicitly in the change log. It only shows up as one of 32 bullet points "Floppy: several fixes". The actual changes are recorded only as "2015-05-08 12:58 Changeset in vbox [55753] by vboxsync: FDC: Fixed DRIVE SPECIFICATION command".
There were some changes related to command buffers five days ago by Frank, but they only address FD_CMD_DRIVE_SPECIFICATION_COMMAND (in a slightly different way than QEMU's developers did it). The VirtualBox source code diffs are at:
The vulnerability does not affect the current VirtualBox FD_CMD_READ_ID or the versions of the file going way. Maybe because it might have been forked as far back as 2003? Crowdstrike did point out that the vulnerability was present from 2004. But the vulnerability manifests in two bugs, one of which appears to affect VirtualBox and the other not.
The vulnerability is not mentioned explicitly in the change log. It only shows up as one of 32 bullet points "Floppy: several fixes". The actual changes are recorded only as "2015-05-08 12:58 Changeset in vbox [55753] by vboxsync: FDC: Fixed DRIVE SPECIFICATION command".
The fixed file from the QEMU project is:
http://git.qemu.org/?p=qemu.git;a=blob;f=hw/block/fdc.c;h=f7...
VirtualBox's equivalent file is:
https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Devic...
There were some changes related to command buffers five days ago by Frank, but they only address FD_CMD_DRIVE_SPECIFICATION_COMMAND (in a slightly different way than QEMU's developers did it). The VirtualBox source code diffs are at:
https://www.virtualbox.org/changeset/55753/vbox
Compare to the QEMU diffs at:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721...
The vulnerability does not affect the current VirtualBox FD_CMD_READ_ID or the versions of the file going way. Maybe because it might have been forked as far back as 2003? Crowdstrike did point out that the vulnerability was present from 2004. But the vulnerability manifests in two bugs, one of which appears to affect VirtualBox and the other not.