group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #29037
[Bug 1809156] Re: E1000 guest to host escape
This bug was fixed in the package virtualbox-lts-xenial -
4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1~14.04.6
---------------
virtualbox-lts-xenial (4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1~14.04.6) trusty; urgency=medium
* debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
- Apply patch for guest-to-host escape vulnerability (LP: #1809156)
- CVE-2018-3294
-- Gianfranco Costamagna <locutusofborg@xxxxxxxxxx> Mon, 11 Mar 2019
17:54:59 +0100
** Changed in: virtualbox-lts-xenial (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1809156
Title:
E1000 guest to host escape
Status in virtualbox package in Ubuntu:
Fix Released
Status in virtualbox source package in Trusty:
Fix Released
Status in virtualbox-lts-xenial source package in Trusty:
Fix Released
Status in virtualbox source package in Xenial:
Fix Released
Status in virtualbox source package in Bionic:
Fix Released
Status in virtualbox source package in Cosmic:
Fix Released
Bug description:
Looks like VirtualBox <=5.2.20 is vulnerable:
https://github.com/MorteNoir1/virtualbox_e1000_0day
I'm not a security expert but this looks serious to me. cosmic is
still shipping 5.2.18. Are there any plans to upgrade to 5.2.22 or
patch this?
According to my understanding the following patch fixes the issue:
https://www.virtualbox.org/changeset/75330/vbox
Have you considered adding this to the patch queue? Let me know if you
want me to prepare a MR.
P.S.: Although this is all over the Internet it seems like Oracle is
keeping this quiet [1]. No hint that this commit fixes a security
issue, no mention in the change log [2]. As far as I can tell not even
a CVE number has been assigned.
[1] https://forums.virtualbox.org/viewtopic.php?f=1&t=90235&p=433202&hilit=mortenoir1#p433237
[2] https://www.virtualbox.org/wiki/Changelog-5.2#v22
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1809156/+subscriptions