E1000 guest to host escape

Bug #1809156 reported by Martin Konrad on 2018-12-19
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
High
Eduardo dos Santos Barretto

Bug Description

Looks like VirtualBox <=5.2.20 is vulnerable:

https://github.com/MorteNoir1/virtualbox_e1000_0day

I'm not a security expert but this looks serious to me. cosmic is still shipping 5.2.18. Are there any plans to upgrade to 5.2.22 or patch this?

According to my understanding the following patch fixes the issue:

https://www.virtualbox.org/changeset/75330/vbox

Have you considered adding this to the patch queue? Let me know if you want me to prepare a MR.

P.S.: Although this is all over the Internet it seems like Oracle is keeping this quiet [1]. No hint that this commit fixes a security issue, no mention in the change log [2]. As far as I can tell not even a CVE number has been assigned.

[1] https://forums.virtualbox.org/viewtopic.php?f=1&t=90235&p=433202&hilit=mortenoir1#p433237
[2] https://www.virtualbox.org/wiki/Changelog-5.2#v22

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security

The attached debdiff should fix the issue. Note that the build of the binary packages fails on my machine (even before applying the fix) so I wasn't able to take it for a test drive.

Seth Arnold (seth-arnold) wrote :

Thanks Martin; someone will probably give this a good look next week. In the meantime, I noticed that the patch doesn't indicate who authored the patch or where it came from -- could you amend the debdiff to include an URL where the upstream patch could be compared? (Best is to use the dep-3 tags: https://dep-team.pages.debian.net/deps/dep3/ )

Thanks

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status: New → Confirmed

The attachment "virtualbox_5.2.18-dfsg-3.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch

Hi Martin,

Thanks for providing a debdiff!

I've done some slight changes to it so it could be applied to bionic.

We built it on our PPA, could please test it?
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

We will be uploading to that same PPA a new version for cosmic as well.

Thanks,
Eduardo

Changed in virtualbox (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in virtualbox (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → High

The package seems to work correctly. Note however that I had to confirm to downgrade when installing the package on cosmic. Turns out something is wrong with the version numbers in the changelog file:

$ zgrep virtualbox /usr/share/doc/virtualbox/changelog.Debian.gz | head -3
virtualbox (5.2.18-dfsg-2~ubuntu18.04.2) bionic-security; urgency=medium
virtualbox (5.2.18-dfsg-2~ubuntu18.04.1) bionic; urgency=medium
virtualbox (5.2.18-dfsg-2) unstable; urgency=medium

$ dpkg --compare-versions 5.2.18-dfsg-2~ubuntu18.04.1 lt 5.2.18-dfsg-2~ubuntu18.04.2 && echo OK || echo NOK
OK
$ dpkg --compare-versions 5.2.18-dfsg-2 lt 5.2.18-dfsg-2~ubuntu18.04.1 && echo OK || echo NOK
NOK
$ dpkg --compare-versions 5.2.18-dfsg-2 lt 5.2.18-dfsg-2~ubuntu18.04.2 && echo OK || echo NOK
NOK

Seems like this mistake crept into the previous version. We probably can't fix the previous version number anymore but I would suggest to use 5.2.18-dfsg-3~ubuntu18.14.1 for this release to ensure the package actually gets installed on our user's machines.

Thanks for testing!!

Great catch on the versioning.

It actually needs to be 5.2.18-dfsg-2ubuntu18.14.2 (it could also be 5.2.18-dfsg-2ubuntu18.14.1, but I think this will be confusing for those who check the changelog).

It can't be 5.2.18-dfsg-3~ubuntu18.14.1 because that would mean that we are based on 5.2.18-dfsg-3 (which is probably a valid version on Debian that is newer than what we have currently).

I will let you know again when bionic and cosmic hit the PPA.

Thanks

Hello, the patch looks correct

@ebarretto I would prefer it to be called something like:
5.2.18-dfsg-3~ubuntu18.04.2 instead, just bumping the last number.

trusty: 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1 -> 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2
xenial: 5.1.38-dfsg-0ubuntu1.16.04.1 -> 5.1.38-dfsg-0ubuntu1.16.04.2
bionic: 5.2.18-dfsg-2~ubuntu18.04.1 -> 5.2.18-dfsg-2~ubuntu18.04.2
cosmic: 5.2.18-dfsg-2 -> 5.2.18-dfsg-2ubuntu18.10.1

thanks!
I'll provide debdiffs shortly

trusty debdiff

xenial debdiff

bionic debdiff

cosmic debdiff

Hi Giangranco,

Thanks for providing debdiffs for the trusty and xenial!

Regarding the version on bionic, it will be 5.2.18-dfsg-2ubuntu18.04.2.

It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.

5.2.18-dfsg-2ubuntu18.04.2 will supersede 5.2.18-dfsg-2 (if anyone still have it installed) and will supersede 5.2.18-dfsg-2~ubuntu18.04.1 (incorrect version number).

That way no one will miss the update and/or be asked to downgrade.

It can be found currently here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=virtualbox

For cosmic we are still working on it because of jdk issues found.

I will provide de updates for trusty and xenial.

Thanks!

>5.2.18-dfsg-2ubuntu18.04.2 will supersede 5.2.18-dfsg-2 (if anyone still have it installed) and will supersede 5.2.18-dfsg-2~ubuntu18.04.1 (incorrect version number).

the version number is *not* incorrect.
it has been used as "backport", because cosmic had the same version, so it was used to maintain the correct upgrade path.

I still think my versioning is correct.

>It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.

how?

5.2.18-dfsg-2~ubuntu18.04.1 updates (multiverse) 2018-11-26
5.2.10-dfsg-6 release (multiverse) 2018-04-27

it should be there, and in any case, 5.2.18-dfsg-2~ubuntu18.04.2 will guarantee the upgrade path from bionic/release, previous ubuntu releases, and upgrades to cosmic release/updates.

Hi Gianfranco,

>It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.
>> how?

I was wondering if anyone had version 5.2.18-dfsg-2 installed and didn't do updates ever since, but this is a rare case.

>>5.2.18-dfsg-2~ubuntu18.04.1 updates (multiverse) 2018-11-26
>>5.2.10-dfsg-6 release (multiverse) 2018-04-27
>>
>>it should be there, and in any case, 5.2.18-dfsg-2~ubuntu18.04.2 will guarantee the upgrade path from bionic/release, previous ubuntu releases, and upgrades to cosmic release/updates.

Since you already did the checking that 5.2.18-dfsg-2 is not available any more in the archives we can go with your version for sure, that's not a problem.

Sorry if I it sounded harsh when I said it was incorrect, just wanted to point at possible update problems if a user still had the 5.2.18-dfsg-2 version installed.

Do you want me to provide the update, or do you want to do it since you're the current maintainer of virtualbox?

Also, did you have trouble with virtualbox on cosmic? With the lack of wsimport (openjdk-11 change), it is almost impossible to build the project right now.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers