| Summary: | virtualbox new security issues fixed upstream in 6.0.16 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, fri, jim, joselp, sysadmin-bugs, tmb, wilcal.int |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | virtualbox-6.0.14-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-01-15 13:58:21 CET
I see 6.0.16 versions of virtualbox and dkms-virtualbox have landed. But we are missing the virtualbox-kernel* packages 6.0.16 versions. CC:
(none) =>
fri They are not really "missing", they can just not be built until the current kernel update is validated and pushed.... Assigning to QA, advisory will follow... SRPMS: virtualbox-6.0.16-1.mga7.src.rpm kmod-virtualbox-6.0.16-1.mga7.src.rpm i586: dkms-vboxadditions-6.0.16-1.mga7.noarch.rpm dkms-virtualbox-6.0.16-1.mga7.noarch.rpm python-virtualbox-6.0.16-1.mga7.i586.rpm virtualbox-6.0.16-1.mga7.i586.rpm virtualbox-devel-6.0.16-1.mga7.i586.rpm virtualbox-guest-additions-6.0.16-1.mga7.i586.rpm virtualbox-kernel-5.4.12-desktop-1.mga7-6.0.16-1.mga7.i586.rpm virtualbox-kernel-5.4.12-desktop586-1.mga7-6.0.16-1.mga7.i586.rpm virtualbox-kernel-5.4.12-server-1.mga7-6.0.16-1.mga7.i586.rpm virtualbox-kernel-desktop586-latest-6.0.16-1.mga7.i586.rpm virtualbox-kernel-desktop-latest-6.0.16-1.mga7.i586.rpm virtualbox-kernel-server-latest-6.0.16-1.mga7.i586.rpm x86_64: dkms-vboxadditions-6.0.16-1.mga7.noarch.rpm dkms-virtualbox-6.0.16-1.mga7.noarch.rpm python-virtualbox-6.0.16-1.mga7.x86_64.rpm virtualbox-6.0.16-1.mga7.x86_64.rpm virtualbox-devel-6.0.16-1.mga7.x86_64.rpm virtualbox-guest-additions-6.0.16-1.mga7.x86_64.rpm virtualbox-kernel-5.4.12-desktop-1.mga7-6.0.16-1.mga7.x86_64.rpm virtualbox-kernel-5.4.12-server-1.mga7-6.0.16-1.mga7.x86_64.rpm virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64.rpm virtualbox-kernel-server-latest-6.0.16-1.mga7.x86_64.rpm Assignee:
tmb =>
qa-bugs I've tried install the new version in Mageia 7 Virtualbox x64. No problems, works fine, all settings ok depending of the host system. I've tried to virtualize a operating system without problems. Greetings!! CC:
(none) =>
joselp mga7-64 OK here: VirtualBox 6.0.16 running guest MSW7 incl host folder sharing, USB2 flash stick, firefox video with sound. Host: Plasma, Intel i7, Nvidia GPU. Stress test: BOINC use all cores to 100%, then running virtualbox with MSW7 chewing windows update, and other programs in guest and host i can use without problems. Enabling GPU use for BOINC on host desktop experience is of course not pleasant but no crash etc. Host system: Intel i5-2500, 16GB RAM, integrated Intel graphics, wired Internet, 64-bit Plasma system. No installation issues with the Mageia packages. Upon running it, I discovered the "Check for updates" function of the gui is no longer there, necessitating a manual download of the extension pack. Clicking on the downloaded extension pack brought up the gui, and the pack updated without incident. Ran a Mageia 7 guest, and updated the guest additions. Everything there looks good. Ran an XP guest and attempted to use the "insert guest additions" function of the gui, which, as has become normal, still fails at the end of the download. The guest additions iso had to ne manually downloaded from https://download.virtualbox.org/virtualbox/ and mounted into the virtual optical drive. (Bug 24696) Once the additions were installed, I tried a few things, and the XP guest is working normally. I did not try to create a new guest, but other than that It looks good on this hardware. CC:
(none) =>
andrewsfarm on mga7-64 kernel-desktop plasma packages installed cleanly: - dkms-virtualbox-6.0.16-1.mga7.noarch - virtualbox-6.0.16-1.mga7.x86_64 - virtualbox-kernel-5.4.12-desktop-1.mga7-6.0.16-1.mga7.x86_64 - virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64 # dkms status virtualbox, 6.0.16-1.mga7, 5.4.12-desktop-1.mga7, x86_64: installed virtualbox, 6.0.16-1.mga7, 5.4.12-desktop-1.mga7, x86_64: installed-binary from 5.4.12-desktop-1.mga7 extension pack upgraded cleanly, but as reported in comment 6 had to be downloaded manually vbox and clients (winxp, win7 and mga7-32) launched normally Updated additions in all 3 clients. As previously the additions iso for the Windows clients had to be downloaded and inserted manually. "Attached" my USB printer to the mga7-32 client, configured it in the client and printed a test page. No regressions observed. OK for mga7-64 on this system: Desktop System: Dell product: Precision Tower 3620 Quad Core model: Intel Core i7-6700 Intel HD Graphics 530 CC:
(none) =>
jim Running into a bit of a problem here:
The following 6 packages are going to be installed:
- cpupower-5.4.14-1.mga7.x86_64
- kernel-desktop-devel-5.4.14-1.mga7-1-1.mga7.x86_64
- kernel-desktop-devel-latest-5.4.14-1.mga7.x86_64
- virtualbox-6.0.16-1.mga7.x86_64
- virtualbox-kernel-5.4.12-desktop-1.mga7-6.0.16-1.mga7.x86_64
- virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64
Launching:
Mageia-7-Live-Xfce-i586.iso
As a Vox client reports the following errors:
Failed to open a session for the virtual machine M7.1 i586 Xfce Live-DVD.
The virtual machine 'M7.1 i586 Xfce Live-DVD' has terminated unexpectedly during startup with exit code 1 (0x1).
Result Code:
NS_ERROR_FAILURE (0x80004005)
Component:
MachineWrap
Interface:
IMachine {5047460a-265d-4538-b23e-ddba5fb84976}
***********
Kernel driver not installed (rc=-1908)
The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please try setting it up again by executing
'/sbin/vboxconfig'
as root.
If your system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them. Please see your Linux system's documentation for more information.
where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) - The support driver is not installed. On linux, open returned ENOENT.
Comments are appreciatedCC:
(none) =>
wilcal.int [root@localhost wilcal]# uname -a Linux localhost 5.4.14-desktop-1.mga7 #1 SMP Thu Jan 23 22:31:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-5.4.14-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox Package virtualbox-6.0.16-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-guest-additions Package virtualbox-guest-additions-6.0.16-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest Package virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi x11-driver-video-vboxvideo Package x11-driver-video-vboxvideo-1.0.0-5.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-5.4.14-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi cpupower Package cpupower-5.4.14-1.mga7.x86_64 is already installed (In reply to William Kenney from comment #8) > Running into a bit of a problem here: > > The following 6 packages are going to be installed: > > - cpupower-5.4.14-1.mga7.x86_64 > - kernel-desktop-devel-5.4.14-1.mga7-1-1.mga7.x86_64 > - kernel-desktop-devel-latest-5.4.14-1.mga7.x86_64 > - virtualbox-6.0.16-1.mga7.x86_64 > - virtualbox-kernel-5.4.12-desktop-1.mga7-6.0.16-1.mga7.x86_64 > - virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64 > You are missing dkms-virtualbox-6.0.16-1.mga7.noarch.rpm, so the kmods for the new virtualbox can't be built locally for any of the kernels you may have installed. The virtualbox-kernel (the pre-built kmod) on your list is for kernel-desktop 5.4.12, and won't work with kernel-desktop 5.4.14. I don't think tmb uploaded the pre-built kmods for that kernel yet. Thanks Thomas. I'll tinker with it all tomorrow. (In reply to William Kenney from comment #11) > Thanks Thomas. > I'll tinker with it all tomorrow. I was a little slow on the uptake. I just checked, and while there may be packages in update-testing for the 5.4.14 kernel, it has not yet been sent to QA. It may be that it just isn't ready, or that tmb is waiting for this virtualbox update to go through first. Either way, it would probably be best at this point if you were to boot into kernel 5.4.12 and do your testing there. Personally, in your situation I would be removing the 5.4.14 packages, but of course that's entirely up to you. Thanks Thomas. Over the last years Vbox testing for me has been pretty smooth. I test on a competely non-important platform. So at this point I'm going to wait and see what TMB has to say about all this. The platform I test on has a removable replaceable HD modular tray system. So when things settle down on this I'll just re-insatll M7 from the ground uo, install Vbox, then enable the update testing repo and try the update again. Thanks for the help @wilcal: You should only test the virtualbox update against the 5.4.12 kernel for now.... I do push newer kernels to testing too, but until they are assigned to QA, there is no rush to test them CC:
(none) =>
tmb On real hardware, M7.1, Plasma, 64-bit
Package(s) under test:
virtualbox
default install of packages:
kernel-desktop-latest virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest
x11-driver-video-vboxvideo kernel-desktop-devel-latest
cpupower
[root@localhost wilcal]# uname -a
Linux localhost 5.3.6-desktop-2.mga7 #1 SMP Sun Oct 13 18:22:10 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-5.3.6-2.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-6.0.12-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-6.0.12-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-6.0.12-4.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-1.0.0-5.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-5.3.6-2.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi cpupower
Package cpupower-5.3.6-2.mga7.x86_64 is already installed
[root@localhost wilcal]# lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
Subsystem: Gigabyte Technology Co., Ltd Device 3518
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia390
Mageia-7-Live-Xfce-i586.iso
Runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.
install from updates testing:
virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest
x11-driver-video-vboxvideo kernel-desktop-devel-latest
cpupower dkms-vboxadditions dkms-virtualbox
[root@localhost wilcal]# uname -a
Linux localhost 5.4.14-desktop-1.mga7 #1 SMP Thu Jan 23 22:31:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-6.0.16-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-6.0.16-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-6.0.16-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-1.0.0-5.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-5.4.14-1.mga7.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-vboxadditions
Package dkms-vboxadditions-6.0.16-1.mga7.noarch is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-6.0.16-1.mga7.noarch is already installed
[root@localhost wilcal]# urpmi cpupower
Package cpupower-5.4.14-1.mga7.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
Subsystem: Gigabyte Technology Co., Ltd Device 3518
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia390
Mageia-7-Live-Xfce-i586.iso
Runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.
Mageia-7-Live-GNOME-x86_64.iso
Runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.
Mageia-7-x86_64.iso
Runs as a Vbox client
Boots to a working desktop. Common apps work.
Screen sizes are correct.
Installs without error. Updates without error.
Reboots to a working desktop without error.
Seem like full OK on 64 bit host then Whiteboard:
(none) =>
MGA7-64-OK
Advisory, added to svn:
type: security
subject: Updated virtualbox packages fix security vulnerabilities
CVE:
- CVE-2020-2674
- CVE-2020-2678
- CVE-2020-2681
- CVE-2020-2682
- CVE-2020-2689
- CVE-2020-2690
- CVE-2020-2691
- CVE-2020-2692
- CVE-2020-2693
- CVE-2020-2698
- CVE-2020-2701
- CVE-2020-2702
- CVE-2020-2703
- CVE-2020-2704
- CVE-2020-2705
- CVE-2020-2725
- CVE-2020-2726
- CVE-2020-2727
src:
7:
core:
- virtualbox-6.0.16-1.mga7
- kmod-virtualbox-6.0.16-1.mga7
description: |
This update provides the upstream 6.0.16 and fixes the following security
vulnerabilities:
An easily exploitable vulnerability allows high privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of Oracle
VM VirtualBox (CVE-2020-2674, CVE-2020-2682).
A difficult to exploit vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical data or all Oracle
VM VirtualBox accessible data as well as unauthorized read access to a
subset of Oracle VM VirtualBox accessible data(CVE-2020-2678).
An easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized access
to critical data or complete access to all Oracle VM VirtualBox accessible
data (CVE-2020-2681, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691,
CVE-2020-2692, CVE-2020-2704, CVE-2020-2705).
A difficult to exploit vulnerability allows high privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized access
to critical data or complete access to all Oracle VM VirtualBox accessible
data (CVE-2020-2693).
A difficult to exploit vulnerability allows high privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of Oracle
VM VirtualBox (CVE-2020-2698, CVE-2020-2701, CVE-2020-2702, CVE-2020-2726).
An easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
Oracle VM VirtualBox. (CVE-2020-2703, CVE-2020-2725).
An easily exploitable vulnerability allows high privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle VM VirtualBox
accessible data.(CVE-2020-2727).
For other fixes in this update, see the referenced changelog
references:
- https://bugs.mageia.org/show_bug.cgi?id=26079
- https://www.virtualbox.org/wiki/Changelog-6.0#v16
- https://www.oracle.com/security-alerts/cpujan2020.html#AppendixOVIRKeywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0065.html Status:
NEW =>
RESOLVED Also fixed... CVE-2020-2742 CVE-2020-2743 https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixOVIR |