[vbox-dev] Announcement: VirtualBox 3.0.8 released
Klaus.Espenlaub at Sun.COM
Tue Oct 6 07:36:19 PDT 2009
Lubomir Rintel schrieb:
> On Tue, 2009-10-06 at 15:06 +0200, Frank Mehnert wrote:
>> today Sun released VirtualBox 3.0.8, a maintenance release of
>> VirtualBox 3.0 which fixes several bugs and regressions. See
>> the ChangeLog
> Security: fixed vulnerability that allowed to execute commands with root
A Sun Alert is in the publishing pipeline. It and will show up in the
very near future when the SunSolve database is updated. It's just
impossible to handle such a case in an ideal way. If we publish the Sun
Alert first, then people complain that the new release is not available,
and vice versa. Sorry about any inconvenience this may cause.
> This sounds pretty scary and seems like a rather bad way to announce
> what seems like a security fix. It would be awesome if you could tell
> the users how severe the issue is, so they cat decide whether they need
> the update. Specifically, it might be important to mention who can gain
> which privileges (if a privileged user in guest can gain root in host or
> a local unprivileged user on host can gain root privileges on host,
> etc. ...)
This is in progress, and you'll get the info via SunSolve, which is the
standard way such information is published at Sun.
Since it doesn't help anyone to speculate, here is the essential
information: there is a (host only) privilege escalation issue in a tool
shipped with VirtualBox, which allows local users to gain root
privileges. Not remotely exploitable, and no violation of the VM isolation.
This is just a very rough outline, the authoritative information will be
in the Sun Alert.
> Moreover, I guess getting a CVE  number for the vulnerability is not
> a bad idea either.
Don't have information right now if the security team is considering a
CVE entry, but if they do it'll be referenced in the SunAlert as well.
More information about the vbox-dev