Lubomir Rintel schrieb:
On Tue, 2009-10-06 at 15:06 +0200, Frank Mehnert wrote:
Hi,
today Sun released VirtualBox 3.0.8, a maintenance release of
VirtualBox 3.0 which fixes several bugs and regressions. See
the ChangeLog
http://www.virtualbox.org/wiki/Changelog
[snip]
Security: fixed vulnerability that allowed to execute commands with root
privileges
[snip]
A Sun Alert is in the publishing pipeline. It and will show up in the
very near future when the SunSolve database is updated. It's just
impossible to handle such a case in an ideal way. If we publish the Sun
Alert first, then people complain that the new release is not available,
and vice versa. Sorry about any inconvenience this may cause.
This sounds pretty scary and seems like a rather bad way to announce
what seems like a security fix. It would be awesome if you could tell
the users how severe the issue is, so they cat decide whether they need
the update. Specifically, it might be important to mention who can gain
which privileges (if a privileged user in guest can gain root in host or
a local unprivileged user on host can gain root privileges on host,
etc. ...)
This is in progress, and you'll get the info via SunSolve, which is the
standard way such information is published at Sun.
Since it doesn't help anyone to speculate, here is the essential
information: there is a (host only) privilege escalation issue in a tool
shipped with VirtualBox, which allows local users to gain root
privileges. Not remotely exploitable, and no violation of the VM isolation.
This is just a very rough outline, the authoritative information will be
in the Sun Alert.
Moreover, I guess getting a CVE [1] number for the vulnerability is not
a bad idea either.
Don't have information right now if the security team is considering a
CVE entry, but if they do it'll be referenced in the SunAlert as well.
Klaus
_______________________________________________
vbox-dev mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-dev
