E1000 guest to host escape
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
virtualbox (Ubuntu) |
Fix Released
|
High
|
Eduardo Barretto | |||
Trusty |
Fix Released
|
High
|
Unassigned | |||
Xenial |
Fix Released
|
High
|
Unassigned | |||
Bionic |
Fix Released
|
High
|
Unassigned | |||
Cosmic |
Fix Released
|
High
|
Unassigned | |||
virtualbox-lts-xenial (Ubuntu) | ||||||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
Looks like VirtualBox <=5.2.20 is vulnerable:
https:/
I'm not a security expert but this looks serious to me. cosmic is still shipping 5.2.18. Are there any plans to upgrade to 5.2.22 or patch this?
According to my understanding the following patch fixes the issue:
https:/
Have you considered adding this to the patch queue? Let me know if you want me to prepare a MR.
P.S.: Although this is all over the Internet it seems like Oracle is keeping this quiet [1]. No hint that this commit fixes a security issue, no mention in the change log [2]. As far as I can tell not even a CVE number has been assigned.
[1] https:/
[2] https:/
CVE References
Changed in virtualbox (Ubuntu): | |
status: | Confirmed → In Progress |
importance: | Undecided → High |
Changed in virtualbox (Ubuntu Cosmic): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in virtualbox (Ubuntu Trusty): | |
status: | New → Fix Released |
Changed in virtualbox (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in virtualbox (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in virtualbox (Ubuntu Bionic): | |
importance: | Undecided → High |
no longer affects: | virtualbox-lts-xenial (Ubuntu) |
no longer affects: | virtualbox-lts-xenial (Ubuntu Bionic) |
no longer affects: | virtualbox-lts-xenial (Ubuntu Cosmic) |
Changed in virtualbox-lts-xenial (Ubuntu Trusty): | |
status: | New → Fix Committed |
importance: | Undecided → High |
Changed in virtualbox (Ubuntu Xenial): | |
importance: | Undecided → High |
status: | New → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res