| Summary: | virtualbox new security issues fixed in 5.1.24 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | brtians1, jim, mageia, nathan95, sysadmin-bugs, tmb, wilcal.int |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO advisory MGA6-64-OK MGA6-32-OK mga5-32-ok MGA5-64-OK | ||
| Source RPM: | virtualbox-5.1.22-1.mga5.i586.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 21269, 21390 | ||
| Bug Blocks: | |||
|
Description
David Walser
2017-07-22 22:17:05 CEST
David Walser
2017-07-22 22:17:12 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO As you probably already know, 5.1.26 has been released, fixing a few regressions from 5.1.24: https://www.virtualbox.org/wiki/Changelog#v26 5.1.26 uploaded to cauldron and mga6 / mga5 testing... Mageia 5: SRPM: virtualbox-5.1.26-1.mga5.src.rpm i586: dkms-vboxadditions-5.1.26-1.mga5.noarch.rpm dkms-virtualbox-5.1.26-1.mga5.noarch.rpm python-virtualbox-5.1.26-1.mga5.i586.rpm virtualbox-5.1.26-1.mga5.i586.rpm virtualbox-devel-5.1.26-1.mga5.i586.rpm virtualbox-doc-5.1.26-1.mga5.noarch.rpm virtualbox-guest-additions-5.1.26-1.mga5.i586.rpm x11-driver-video-vboxvideo-5.1.26-1.mga5.i586.rpm x86_64: dkms-vboxadditions-5.1.26-1.mga5.noarch.rpm dkms-virtualbox-5.1.26-1.mga5.noarch.rpm python-virtualbox-5.1.26-1.mga5.x86_64.rpm virtualbox-5.1.26-1.mga5.x86_64.rpm virtualbox-devel-5.1.26-1.mga5.x86_64.rpm virtualbox-doc-5.1.26-1.mga5.noarch.rpm virtualbox-guest-additions-5.1.26-1.mga5.x86_64.rpm x11-driver-video-vboxvideo-5.1.26-1.mga5.x86_64.rpm Mageia 6: SRPM: virtualbox-5.1.26-1.mga6.src.rpm i586: dkms-vboxadditions-5.1.26-1.mga6.noarch.rpm dkms-virtualbox-5.1.26-1.mga6.noarch.rpm python-virtualbox-5.1.26-1.mga6.i586.rpm virtualbox-5.1.26-1.mga6.i586.rpm virtualbox-devel-5.1.26-1.mga6.i586.rpm virtualbox-doc-5.1.26-1.mga6.noarch.rpm virtualbox-guest-additions-5.1.26-1.mga6.i586.rpm x11-driver-video-vboxvideo-5.1.26-1.mga6.i586.rpm x86_64: dkms-vboxadditions-5.1.26-1.mga6.noarch.rpm dkms-virtualbox-5.1.26-1.mga6.noarch.rpm python-virtualbox-5.1.26-1.mga6.x86_64.rpm virtualbox-5.1.26-1.mga6.x86_64.rpm virtualbox-devel-5.1.26-1.mga6.x86_64.rpm virtualbox-doc-5.1.26-1.mga6.noarch.rpm virtualbox-guest-additions-5.1.26-1.mga6.x86_64.rpm x11-driver-video-vboxvideo-5.1.26-1.mga6.x86_64.rpm the prebuilt kmods will only be built after the update kernels has gone out: Mageia 6: kernel-4.9.40-1.mga6 https://bugs.mageia.org/show_bug.cgi?id=21269 Mageia 5: kernel-4.4.79-1.mga5 https://bugs.mageia.org/show_bug.cgi?id=21390 As I consider them having more important fixes that need to go out... But theese can still be tested using the dkms packages for now Version:
Cauldron =>
6 On real hardware, M6, Plasma, 64-bit
initial install:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest dkms-nvidia-current
[root@localhost wilcal]# uname -a
Linux localhost 4.9.35-desktop-1.mga6 #1 SMP Thu Jun 29 19:27:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.9.35-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.1.22-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.22-20.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.1.22-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.1.22-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.1.22-20.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.1.22-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.9.35-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-nvidia-current
Package dkms-nvidia-current-375.66-3.mga6.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
Subsystem: Gigabyte Technology Co., Ltd Device 3518
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current
M6 i586 Xfce LiveDVD runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.
install or check:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest nvidia-current-kernel-desktop-latest
from updates_testing
[root@localhost wilcal]# uname -a
Linux localhost 4.9.40-desktop-1.mga6 #1 SMP Fri Jul 28 00:49:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.9.40-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.1.26-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.22-24.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.1.26-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.1.26-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.1.22-24.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.1.26-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.9.40-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-nvidia-current
Package dkms-nvidia-current-375.66-3.mga6.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
Subsystem: Gigabyte Technology Co., Ltd Device 3518
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current
System boots to a working desktop. Common apps work.
Previously created M6 i586 Xfce LiveDVD runs as a Vbox client.
M6 x86_64 Gnome LiveDVD runs as a Vbox client.
M6 x86_64 Plasma LiveDVD, installs and updates as a Vbox client.
Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Looks great, excellent exercise early in the life of M6CC:
(none) =>
wilcal.int Installed packages, VB extra and guest additions on guest OSs, without issues. Tested with several guest OSs (listed below) without issues. Host system: x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver. $ rpm -qa | egrep -i 'virtualbox|vbox' virtualbox-5.1.26-1.mga5 virtualbox-doc-5.1.26-1.mga5 dkms-virtualbox-5.1.26-1.mga5 Guest systems: - Mageia 5 (up-to-date), x86_64, Plasma, vbox additions updated, VirtualBox Xorg driver with desktop resize working. - Mageia 6 (up-to-date), x86_64, Plasma, vbox additions updated, VirtualBox Xorg driver with desktop resize working. - Windows XP, x86, vbox additions updated. - Windows 7, x86_64, vbox additions updated. - Windows 10, x86_64, vbox additions updated. CC:
(none) =>
mageia kmods for Mga6 is up: SRPMS: kmod-vboxadditions-5.1.26-1.mga6.src.rpm kmod-virtualbox-5.1.26-1.mga6.src.rpm i586: vboxadditions-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.i586.rpm vboxadditions-kernel-4.9.40-desktop586-1.mga6-5.1.26-1.mga6.i586.rpm vboxadditions-kernel-4.9.40-server-1.mga6-5.1.26-1.mga6.i586.rpm vboxadditions-kernel-desktop586-latest-5.1.26-1.mga6.i586.rpm vboxadditions-kernel-desktop-latest-5.1.26-1.mga6.i586.rpm vboxadditions-kernel-server-latest-5.1.26-1.mga6.i586.rpm virtualbox-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.i586.rpm virtualbox-kernel-4.9.40-desktop586-1.mga6-5.1.26-1.mga6.i586.rpm virtualbox-kernel-4.9.40-server-1.mga6-5.1.26-1.mga6.i586.rpm virtualbox-kernel-desktop586-latest-5.1.26-1.mga6.i586.rpm virtualbox-kernel-desktop-latest-5.1.26-1.mga6.i586.rpm virtualbox-kernel-server-latest-5.1.26-1.mga6.i586.rpm x86_64: vboxadditions-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.x86_64.rpm vboxadditions-kernel-4.9.40-server-1.mga6-5.1.26-1.mga6.x86_64.rpm vboxadditions-kernel-desktop-latest-5.1.26-1.mga6.x86_64.rpm vboxadditions-kernel-server-latest-5.1.26-1.mga6.x86_64.rpm virtualbox-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.x86_64.rpm virtualbox-kernel-4.9.40-server-1.mga6-5.1.26-1.mga6.x86_64.rpm virtualbox-kernel-desktop-latest-5.1.26-1.mga6.x86_64.rpm virtualbox-kernel-server-latest-5.1.26-1.mga6.x86_64.rpm CC:
(none) =>
tmb
Going with a generic advisory as no CVE specifics are known yet.
type: security
subject: Updated virtualbox packages fix security vulnerabilities
CVE:
- CVE-2017-10129
- CVE-2017-10187
- CVE-2017-10204
- CVE-2017-10209
- CVE-2017-10210
- CVE-2017-10233
- CVE-2017-10235
- CVE-2017-10236
- CVE-2017-10237
- CVE-2017-10238
- CVE-2017-10239
- CVE-2017-10240
- CVE-2017-10241
- CVE-2017-10242
src:
6:
core:
- virtualbox-5.1.26-1.mga6
- kmod-vboxadditions-5.1.26-1.mga6
- kmod-virtualbox-5.1.26-1.mga6
5:
core:
- virtualbox-5.1.26-1.mga5
- kmod-vboxadditions-5.1.26-1.mga5
- kmod-virtualbox-5.1.26-1.mga5
description: |
This update provides the virtualbox 5.1.26 maintenance release, fixing
security and other issues:
This Critical Patch Update contains 14 new unspcified security fixes
for Oracle VM VirtualBox. According to currently known info, none of
these vulnerabilities may be remotely exploitable without authentication,
i.e., none may be exploited over a network without requiring user
credentials.
For other fixes in this update see the referenced changelog.
references:
- https://bugs.mageia.org/show_bug.cgi?id=21325
- https://www.virtualbox.org/wiki/ChangelogWhiteboard:
MGA5TOO =>
MGA5TOO advisory On mga6-64, with kernel-desktop-4.9.40 Packages installed cleanly: - virtualbox-5.1.26-1.mga6.x86_64 - virtualbox-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.x86_64 - virtualbox-kernel-desktop-latest-5.1.26-1.mga6.x86_64 - virtualbox-doc-5.1.26-1.mga6.noarch Proprietary extension pack upgraded cleanly Virtualbox and client launched normally OK for mga6-64 CC:
(none) =>
jim On mga6-32 in a vbox VM, running kernel-desktop-4.9.40 Packages installed cleanly: - vboxadditions-kernel-4.9.40-desktop-1.mga6-5.1.26-1.mga6.i586 - vboxadditions-kernel-desktop-latest-5.1.26-1.mga6.i586 - virtualbox-guest-additions-5.1.26-1.mga6.i586 - x11-driver-video-vboxvideo-5.1.26-1.mga6.i586 no regressions noted OK for mga6-32 in a vbox VM Magea 6 64 OK, kernel 4.9.40, no regression noticed after upgrade Magea 6 32 tested on VirtualBox no problem noticed CC:
(none) =>
nathan95
nathan giovannini
2017-08-01 12:12:06 CEST
Whiteboard:
MGA5TOO advisory =>
MGA5TOO advisory MGA6-64-OK I've been running this one for a couple days on Mageia 6 64, works fine. Kmods for Mga5 is up: SRPMS: kmod-vboxadditions-5.1.26-1.mga5.src.rpm kmod-virtualbox-5.1.26-1.mga5.src.rpm i586: vboxadditions-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.i586.rpm vboxadditions-kernel-4.4.79-desktop586-1.mga5-5.1.26-1.mga5.i586.rpm vboxadditions-kernel-4.4.79-server-1.mga5-5.1.26-1.mga5.i586.rpm vboxadditions-kernel-desktop586-latest-5.1.26-1.mga5.i586.rpm vboxadditions-kernel-desktop-latest-5.1.26-1.mga5.i586.rpm vboxadditions-kernel-server-latest-5.1.26-1.mga5.i586.rpm virtualbox-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.i586.rpm virtualbox-kernel-4.4.79-desktop586-1.mga5-5.1.26-1.mga5.i586.rpm virtualbox-kernel-4.4.79-server-1.mga5-5.1.26-1.mga5.i586.rpm virtualbox-kernel-desktop586-latest-5.1.26-1.mga5.i586.rpm virtualbox-kernel-desktop-latest-5.1.26-1.mga5.i586.rpm virtualbox-kernel-server-latest-5.1.26-1.mga5.i586.rpm x86_64: vboxadditions-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.x86_64.rpm vboxadditions-kernel-4.4.79-server-1.mga5-5.1.26-1.mga5.x86_64.rpm vboxadditions-kernel-desktop-latest-5.1.26-1.mga5.x86_64.rpm vboxadditions-kernel-server-latest-5.1.26-1.mga5.x86_64.rpm virtualbox-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.x86_64.rpm virtualbox-kernel-4.4.79-server-1.mga5-5.1.26-1.mga5.x86_64.rpm virtualbox-kernel-desktop-latest-5.1.26-1.mga5.x86_64.rpm virtualbox-kernel-server-latest-5.1.26-1.mga5.x86_64.rpm On mga5-32 Packages installed cleanly: - virtualbox-5.1.26-1.mga5.x86_64 - virtualbox-doc-5.1.26-1.mga5.noarch - virtualbox-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.x86_64 - virtualbox-kernel-desktop-latest-5.1.26-1.mga5.x86_64 Proprietary extension pack upgraded cleanly Virtualbox and client launched normally OK for mga5-32 (In reply to James Kerr from comment #12) > On mga5-32 > > Packages installed cleanly: > - virtualbox-5.1.26-1.mga5.x86_64 > - virtualbox-doc-5.1.26-1.mga5.noarch > - virtualbox-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.x86_64 > - virtualbox-kernel-desktop-latest-5.1.26-1.mga5.x86_64 > > Proprietary extension pack upgraded cleanly > > Virtualbox and client launched normally > > OK for mga5-32 Sorry, that comment obviously applies to mga5-64 On mga5-32 in a vbox VM Packages installed cleanly: - dkms-vboxadditions-5.1.26-1.mga5.noarch - vboxadditions-kernel-4.4.79-desktop-1.mga5-5.1.26-1.mga5.i586 - vboxadditions-kernel-desktop-latest-5.1.26-1.mga5.i586 - x11-driver-video-vboxvideo-5.1.26-1.mga5.i586 - virtualbox-guest-additions-5.1.26-1.mga5.i586 No regressions noted OK for mga5-32 in a vbox VM
nathan giovannini
2017-08-06 13:59:17 CEST
Whiteboard:
MGA5TOO advisory MGA6-64-OK =>
MGA5TOO advisory MGA6-64-OK MGA6-32-OK I don't know if it's a bug in Virtualbox 5.1.26 or in cauldron when using kernel 4.12.5, but cauldron no longer boots at all. All I get is a black screen. If I select kernel 4.9.40 instead of 4.12.5, then cauldron boots correctly. (In reply to Frédéric Buclin from comment #15) > I don't know if it's a bug in Virtualbox 5.1.26 or in cauldron when using > kernel 4.12.5, but cauldron no longer boots at all. All I get is a black > screen. If I select kernel 4.9.40 instead of 4.12.5, then cauldron boots > correctly. I would write that up as a separate bug, but, before that I would wait a week or so before filing it. At this very early stage of Cauldron expect things like no boots. In Vbox or real hardware. $ uname -a Linux localhost.localdomain 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:02:29 UTC 2017 i686 i686 i686 GNU/Linux I installed Virtualbox 5.26.1. It works as designed. Connections to shared device. Whiteboard:
MGA5TOO advisory MGA6-64-OK MGA6-32-OK =>
MGA5TOO advisory MGA6-64-OK MGA6-32-OK mga5-32-ok
James Kerr
2017-08-08 04:33:53 CEST
Whiteboard:
MGA5TOO advisory MGA6-64-OK MGA6-32-OK mga5-32-ok =>
MGA5TOO advisory MGA6-64-OK MGA6-32-OK mga5-32-ok MGA5-64-OK Validating as it seems to have all the necessary tags. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0250.html Status:
ASSIGNED =>
RESOLVED |