group.of.nepali.translators team mailing list archive

[Mathew Hodson <mathew.hodson@xxxxxxxxx>]

** Also affects: virtualbox (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: virtualbox (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: virtualbox (Ubuntu Xenial)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1809156

Title:
  E1000 guest to host escape

Status in virtualbox package in Ubuntu:
  Fix Released
Status in virtualbox source package in Trusty:
  Fix Released
Status in virtualbox-lts-xenial source package in Trusty:
  Fix Committed
Status in virtualbox source package in Xenial:
  Fix Released
Status in virtualbox source package in Bionic:
  Fix Released
Status in virtualbox source package in Cosmic:
  Fix Released

Bug description:
  Looks like VirtualBox <=5.2.20 is vulnerable:

  https://github.com/MorteNoir1/virtualbox_e1000_0day

  I'm not a security expert but this looks serious to me. cosmic is
  still shipping 5.2.18. Are there any plans to upgrade to 5.2.22 or
  patch this?

  According to my understanding the following patch fixes the issue:

  https://www.virtualbox.org/changeset/75330/vbox

  Have you considered adding this to the patch queue? Let me know if you
  want me to prepare a MR.

  P.S.: Although this is all over the Internet it seems like Oracle is
  keeping this quiet [1]. No hint that this commit fixes a security
  issue, no mention in the change log [2]. As far as I can tell not even
  a CVE number has been assigned.

  [1] https://forums.virtualbox.org/viewtopic.php?f=1&t=90235&p=433202&hilit=mortenoir1#p433237
  [2] https://www.virtualbox.org/wiki/Changelog-5.2#v22

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1809156/+subscriptions