Bug 33273

Summary: virtualbox new security issues CVE-2024-2110[36789], CVE-2024-2111[0-6] and CVE-2024-21121
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, fri, ghibomgx, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: virtualbox-7.0.18-1.mga9, kmod-virtualbox-7.0.18-48.mga9 CVE: CVE-2024-21103, CVE-2024-21106, CVE-2024-21107, CVE-2024-21108, CVE-2024-21109, CVE-2024-21110, CVE-2024-21111, CVE-2024-21112, CVE-2024-21113, CVE-2024-21114, CVE-2024-21115, CVE-2024-21116, CVE-2024-21121
Status comment: Fixed upstream in 7.0.18

Description Nicolas Salguero 2024-06-06 16:37:50 CEST 
Those CVEs were announced here:
https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixOVIR

There are fixed in 7.0.16 but 7.0.18 is already out:
https://www.virtualbox.org/wiki/Changelog-7.0#v16
https://www.virtualbox.org/wiki/Changelog-7.0#v18

Mageia 9 is also affected.
Nicolas Salguero 2024-06-06 16:39:46 CEST

CVE: (none) => CVE-2024-21103, CVE-2024-21106, CVE-2024-21107, CVE-2024-21108, CVE-2024-21109, CVE-2024-21110, CVE-2024-21111, CVE-2024-21112, CVE-2024-21113, CVE-2024-21114, CVE-2024-21115, CVE-2024-21116, CVE-2024-21121
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 7.0.18
Source RPM: (none) => virtualbox-7.0.14-2.mga10.src.rpm

Comment 1 Lewis Smith 2024-06-14 11:29:43 CEST 
Assigning to kernel because VBox updates are usually done there.

Assignee: bugsquad => kernel

Comment 2 Giuseppe Ghibò 2024-06-18 19:16:32 CEST 
There is virtualbox-7.0.18-1 out for both cauldron and mga9 (in updates_testing).

CC: (none) => ghibomgx

Morgan Leijström 2024-06-18 22:16:59 CEST

Assignee: kernel => qa-bugs
CC: (none) => fri

Comment 3 Morgan Leijström 2024-06-18 23:31:27 CEST 
mg9-64 Plasma X11

Tested per below for both
kernel-linus-6.6.28-1.mga9.x86_64
kernel-desktop-6.6.28-1.mga9.x86_64

Also testing/using nvidia-current-550.90.07-1.mga9 from nonfree testing

For both kernels using Virtualbox module built locally by dkms.
$ dkms status
virtualbox, 7.0.18-1.mga9, 6.6.28-1.mga9, x86_64: installed 
virtualbox, 7.0.18-1.mga9, 6.6.28-desktop-1.mga9, x86_64: installed 
nvidia-current, 550.90.07-1.mga9.nonfree, 6.6.28-1.mga9, x86_64: installed 
nvidia-current, 550.90.07-1.mga9.nonfree, 6.6.28-desktop-1.mga9, x86_64: installed 


TEST:
Running MSW 7 64 bit guest: 
On first launch it detected it needed new guest addition - I let it download, update, reboot.
Using: dynamic window resizing, USB 2 flash disk, host folder sharing write protected and not, bidirectional clipboard, drag file from Dolphin to Explorer, Internet video in Firefox, Windows update.

$ inxi -SMCG
System:
  Host: svarten.tribun Kernel: 6.6.28-1.mga9 arch: x86_64 bits: 64
    Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: dual core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 3481 min/max: 1200/2934 cores: 1: 3481 2: 3481 3: 3481
    4: 3481
Graphics:
  Device-1: NVIDIA GM107 [GeForce GTX 750] driver: nvidia v: 550.90.07
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: nvidia,v4l gpu: nvidia,nvidia-nvswitch resolution: 3840x2160~60Hz
  API: OpenGL v: 4.6.0 NVIDIA 550.90.07 renderer: NVIDIA GeForce GTX
    750/PCIe/SSE2
Comment 4 Morgan Leijström 2024-06-19 00:13:53 CEST 
Continuing testing on same machine as Comment 3

Same tests, now with pre-built kmods installed
using desktop and server kernels 6.6.28-1

All OK.

$ dkms status
virtualbox, 7.0.18-1.mga9, 6.6.28-1.mga9, x86_64: installed 
virtualbox, 7.0.18-1.mga9, 6.6.28-desktop-1.mga9, x86_64: installed 
nvidia-current, 550.90.07-1.mga9.nonfree, 6.6.28-1.mga9, x86_64: installed 
nvidia-current, 550.90.07-1.mga9.nonfree, 6.6.28-desktop-1.mga9, x86_64: installed 
nvidia-current, 550.90.07-1.mga9.nonfree, 6.6.28-server-1.mga9, x86_64: installed 
virtualbox, 7.0.18-1.mga9, 6.6.28-desktop-1.mga9, x86_64: installed-binary from 6.6.28-desktop-1.mga9
virtualbox, 7.0.18-1.mga9, 6.6.28-server-1.mga9, x86_64: installed-binary from 6.6.28-server-1.mga9
Comment 5 Morgan Leijström 2024-06-19 00:16:55 CEST 
When Cauldron version is built, as it was already in Comment 2, we use to set bugs to current release only.

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 6 Brian Rockwell 2024-06-19 21:04:33 CEST 
MGA9-64, ‎AMD Ryzen 5 2600, Nvidia 1650 super, GNOME, virtualbox host

The following 4 packages are going to be installed:

- dkms-virtualbox-7.0.18-1.mga9.x86_64
- virtualbox-7.0.18-1.mga9.x86_64
- virtualbox-kernel-6.6.28-server-1.mga9-7.0.18-48.mga9.x86_64
- virtualbox-kernel-server-latest-7.0.18-48.mga9.x86_64

64MB of additional disk space will be used.



rebooted

sound working
virtualbox working
networking is fine

I used an existing VM instance - note I also went to VirtualBox website and updated extensions
New VM install of MGA9-Xfce from Live

works for me

CC: (none) => brtians1

Comment 7 Thomas Andrews 2024-06-20 03:38:02 CEST 
For lack of a full rpm list, I used "*virtualbox* in Qarepo. The results show that there are still some kmods for 7.0.14 and older kernels in updates_testing.

No installation issues. So far, I ran a Win7 guest, downloaded and installed guest additions, and shut it down again. No issues there.

CC: (none) => andrewsfarm

Giuseppe Ghibò 2024-06-20 10:04:13 CEST

Source RPM: virtualbox-7.0.14-2.mga10.src.rpm => virtualbox-7.0.18-1.mga9, kmod-virtualbox-7.0.18-48.mga9

Comment 8 Giuseppe Ghibò 2024-06-20 10:13:55 CEST 
I updated the file name in Source RPM field in the box here. At this point the qarepo generated files list should be correct. It could be retrievedd from the new qarepo using the command:

curl -o files-bug-33273.txt http://<newqarepo_server_ip>/rpmsforqa/33273?raw=1

where <newqarepo_server_ip> is the IP of the new qarepo yves is testing, you already now (90...), so it can be useful. 33273 in the URL s just the bug number.

Fixing the versioning in Source: seems to have a positive effect on the generated files list.. Only problem is that it won't act backward. So if I type in the Source field the older virtualbox or alternative version, it will show the newer one.
katnatek 2024-06-20 21:15:42 CEST

Keywords: (none) => advisory

Comment 9 Thomas Andrews 2024-06-23 04:00:15 CEST 
Yves is testing a new madb, not a new qarepo.

I've updated on two machines, one of which is using nvidia-current (not the one under test). I updated Windows 7 with no problems, updated a Mageia 9 VM with no problems, and created a new Magie 9 32-bit Plasma VM with no problems.

I don't see any reason to hold this back. Validating the update.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2024-06-24 21:04:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0232.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED