[vbox-dev] Announcement: VirtualBox 3.0.8 released

[Klaus Espenlaub]

Lubomir Rintel schrieb:
> On Tue, 2009-10-06 at 15:06 +0200, Frank Mehnert wrote:
>> Hi,
>>
>> today Sun released VirtualBox 3.0.8, a maintenance release of
>> VirtualBox 3.0 which fixes several bugs and regressions. See
>> the ChangeLog
>>
>>   http://www.virtualbox.org/wiki/Changelog
> 
> [snip]
> Security: fixed vulnerability that allowed to execute commands with root
> privileges
> [snip]

A Sun Alert is in the publishing pipeline. It and will show up in the 
very near future when the SunSolve database is updated. It's just 
impossible to handle such a case in an ideal way. If we publish the Sun 
Alert first, then people complain that the new release is not available, 
and vice versa. Sorry about any inconvenience this may cause.

> This sounds pretty scary and seems like a rather bad way to announce
> what seems like a security fix. It would be awesome if you could tell
> the users how severe the issue is, so they cat decide whether they need
> the update. Specifically, it might be important to mention who can gain
> which privileges (if a privileged user in guest can gain root in host or
> a local unprivileged user on host can gain root privileges on host,
> etc. ...)

This is in progress, and you'll get the info via SunSolve, which is the 
standard way such information is published at Sun.

Since it doesn't help anyone to speculate, here is the essential 
information: there is a (host only) privilege escalation issue in a tool 
shipped with VirtualBox, which allows local users to gain root 
privileges. Not remotely exploitable, and no violation of the VM isolation.

This is just a very rough outline, the authoritative information will be 
in the Sun Alert.

> Moreover, I guess getting a CVE [1] number for the vulnerability is not
> a bad idea either.

Don't have information right now if the security team is considering a 
CVE entry, but if they do it'll be referenced in the SunAlert as well.

Klaus