Bug 12384 - virtualbox new security issues fixed in 4.2.22 and 4.2.24
: virtualbox new security issues fixed in 4.2.22 and 4.2.24
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/581307/
: MGA3-32-OK MGA3-64-OK advisory
: validated_update
: 13225
: 8826
  Show dependency treegraph
 
Reported: 2014-01-21 17:37 CET by David Walser
Modified: 2014-04-20 20:58 CEST (History)
8 users (show)

See Also:
Source RPM: virtualbox-4.2.22-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-01-21 17:37:22 CET
Gentoo has issued an advisory on January 20:
http://security.gentoo.org/glsa/glsa-201401-13.xml

The issues are also fixed in 4.3.6, which we already have in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-25 00:35:17 CET
Thomas, what relationship does Bug 8826 have to this one?  That one is for Mageia 4 and Cauldron, and this one is for Mageia 3.
Comment 2 Thomas Backlund 2014-02-25 00:36:22 CET
It's just a reminder for me to fix it for all 3
Comment 3 Thomas Backlund 2014-02-27 21:01:23 CET
Advisory (from gentoo):
Multiple vulnerabilities have been found in VirtualBox, allowing local
attackers to escalate their privileges or cause a Denial of Service
condition. 


    CVE-2012-3221
    CVE-2013-5892
    CVE-2014-0404
    CVE-2014-0405
    CVE-2014-0406
    CVE-2014-0407



SRPMS:
kmod-vboxadditions-4.2.22-1.mga3.src.rpm
kmod-virtualbox-4.2.22-1.mga3.src.rpm
virtualbox-4.2.22-1.mga3.src.rpm

i586:
dkms-vboxadditions-4.2.22-1.mga3.noarch.rpm
dkms-virtualbox-4.2.22-1.mga3.noarch.rpm
vboxadditions-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.i586.rpm
vboxadditions-kernel-3.10.28-desktop586-1.mga3-4.2.22-1.mga3.i586.rpm
vboxadditions-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.i586.rpm
vboxadditions-kernel-desktop586-latest-4.2.22-1.mga3.i586.rpm
vboxadditions-kernel-desktop-latest-4.2.22-1.mga3.i586.rpm
vboxadditions-kernel-server-latest-4.2.22-1.mga3.i586.rpm
virtualbox-4.2.22-1.mga3.i586.rpm
virtualbox-devel-4.2.22-1.mga3.i586.rpm
virtualbox-guest-additions-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-desktop586-1.mga3-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-desktop586-latest-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-desktop-latest-4.2.22-1.mga3.i586.rpm
virtualbox-kernel-server-latest-4.2.22-1.mga3.i586.rpm
x11-driver-video-vboxvideo-4.2.22-1.mga3.i586.rpm

x86_64:
dkms-vboxadditions-4.2.22-1.mga3.noarch.rpm
dkms-virtualbox-4.2.22-1.mga3.noarch.rpm
vboxadditions-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.x86_64.rpm
vboxadditions-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.2.22-1.mga3.x86_64.rpm
vboxadditions-kernel-server-latest-4.2.22-1.mga3.x86_64.rpm
virtualbox-4.2.22-1.mga3.x86_64.rpm
virtualbox-devel-4.2.22-1.mga3.x86_64.rpm
virtualbox-guest-additions-4.2.22-1.mga3.x86_64.rpm
virtualbox-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.x86_64.rpm
virtualbox-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.x86_64.rpm
virtualbox-kernel-desktop-latest-4.2.22-1.mga3.x86_64.rpm
virtualbox-kernel-server-latest-4.2.22-1.mga3.x86_64.rpm
x11-driver-video-vboxvideo-4.2.22-1.mga3.x86_64.rpm
Comment 4 David Walser 2014-02-27 21:34:55 CET
CVE-2012-3221 is not actually relevant for this update, the others are.
Comment 5 William Kenney 2014-02-28 22:04:12 CET
David:
I can test this upgrade by installing Vbox in one of my Vbox
installs but the test install won't run a Guest Client Vbox.
Otherwise I'm gonna have to do a complete new install on
both on two real hardware, 32-bit & 64-bit, platforms.
I don't think running Vbox on a 32-bit system is practical.
If I remember my previous testing a Vbox in Vbox will install,
and update, but wont run a Client OS. It don't like that.
Comment 6 Thomas Backlund 2014-02-28 22:09:29 CET
the host part (virtualbox + virtualbox-kernel-* and dkms-virtualbox) needs to be tested on real hw,  the -vboxadditions and x11 vbox driver needs to be tested in a guest
Comment 7 William Kenney 2014-02-28 22:31:48 CET
(In reply to Thomas Backlund from comment #6)

> the host part (virtualbox + virtualbox-kernel-* and dkms-virtualbox) needs
> to be tested on real hw,  the -vboxadditions and x11 vbox driver needs to be
> tested in a guest

Groan, if nobody does this by tomorrow California time I
test both the 32 & 64 bit install and update. Cross fingers
a new install of M3 updates to latest level ok. If I remember
right Vbox on my 32-bit 4GB platform is pokey slow.
Comment 8 Bill Wilkinson 2014-03-01 05:06:15 CET
Currently installing mga3 on vbox on both arch's.  Will complete install and add in guest additions in the morning, after the installs complete.

So far so good, though!
Comment 9 William Kenney 2014-03-01 16:11:01 CET
I have also started the process of building two M3
test systems, 32 & 64 bit, on real hardware. If there
are no problems I see this process completing in
about 4-hours.
Comment 10 Bill Wilkinson 2014-03-01 17:21:39 CET
Just a heads-up, Bill.  If your systems are as dated as mine, you'll probably want to be running lxde or some similarly lightweight desktop.  KDE is painful!

Got install completed on x86_64. Updating guest additions results in non-fullscreen fullscreen on my nvidia/turion laptop.  Fullscreen worked OK with the old guest additions.  I'm currently running mga updates on the guest mga3-64 system to see if something there might help.

On i586, KDE is so slow as to be unusable.  I'm hoping to be able to install lxde through a shell to complete testing there.
Comment 11 William Kenney 2014-03-01 17:45:43 CET
(In reply to Bill Wilkinson from comment #10)

> Got install completed on x86_64. Updating guest additions results in
> non-fullscreen fullscreen on my nvidia/turion laptop.....

Note that Virtualbox on an M3 64-bit Nvidia system is unstable:

https://bugs.mageia.org/show_bug.cgi?id=10670
Repeated x11 freezes with VirtualBox Guest Clients and an nVidia driver system

The way this gets fixed is to move on to M4 or use the Video nouveau driver.

It ain't worth going back and fixing in M3 so I changed the BUG to resolved.
Comment 12 William Kenney 2014-03-01 18:51:00 CET
On real hardware VirtualBox, M3, KDE, 32-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.16-1.mga3.i586 is already installed

Boots to a working desktop, albeit slowly.
Vbox runs an M3-32bit Live-DVD client.

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.22-1.mga3.i586 is already installed

Boots to a working desktop, albeit slowly.
Vbox runs an M3-32bit Live-DVD client even slower.

IMO this is not a practical solution.

Test platform:
Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
GigaByte  GA-81915G Pro F4  i915G  LGA 775  MoBo
 Marvel Yukon 88E8001 Gigabit LAN
 Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel)
 Intel Graphics Media Accelerator 900 (Intel 82915G)
Kingston 4GB (2 x 2GB) DDR400 PC-3200
Maxtor DiamondMax 10 6B080M0 80GB 7200 RPM 8MB Cache SATA (removable)
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Sony CD/DVD-RW DWQ120AB2
Comment 13 William Kenney 2014-03-01 18:51:25 CET
64-bit should go a little quicker
Comment 14 Bill Wilkinson 2014-03-01 19:16:31 CET
Both 32 and 64 bit OK here.  Nvidia issues not a problem here, slight annoyance issue with the updated guest additions, but nothing that should stop the security updates.
Comment 15 William Kenney 2014-03-01 20:37:52 CET
On real hardware VirtualBox, M3, KDE, 64-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.16-1.mga3.x86_64 is already installed

Boots to a working desktop.
Vbox runs an M3-32bit Live-DVD client just fine

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.22-1.mga3.x86_64 is already installed

Boots to a working desktop.
Vbox runs an M3-32bit Live-DVD client just fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, nouveau driver
Comment 16 William Kenney 2014-03-01 20:38:05 CET
For me this update works fine.
Lets go ahead and push it.
Comment 17 Rémi Verschelde 2014-03-01 20:50:11 CET
Validating, advisory uploaded. Please push to 3 core/updates.
Comment 18 David Walser 2014-03-01 20:59:58 CET
Sorry, not so fast.  This is exhibiting the same problems as when we previously tried to update it beyond 4.2.16.  x11-driver-video-vboxvideo in the guest does not work (i586 here).
Comment 19 Thomas Backlund 2014-03-01 21:59:26 CET
Hm, seems I need to build and install a i586 mga3 system here too to test.
Comment 20 David Walser 2014-03-01 22:35:56 CET
Note that I still have 4.2.16 on my *host* machine, I was hoping to see that the update worked correctly in my VM before updating my host.
Comment 21 Dave Hodgins 2014-03-03 07:43:34 CET
Confirmed problem. Running virtualbox-4.3.6-1.mga4 on an x86_64 host, with
the testing updates installed on a i586 Mageia 3 guest, X fails to start
with the message in /var/log/Xorg.0.log about
AIGLX error: vboxvideo does not export required DRI extensions.

We may need to split the update again, and only push the Mageia 4 update
for now.
Comment 22 David Walser 2014-03-03 09:59:43 CET
This update is already only for Mageia 3, as the issues are fixed in the version we shipped in Mageia 4.  We might need to actually find patches for the security issues :O
Comment 23 David Walser 2014-03-24 00:59:21 CET
I just tested the 4.2.24 that tmb just built, same issue persists.
Comment 24 claire robinson 2014-04-08 12:38:31 CEST
Assigning back to Thomas for now.
Comment 25 Thomas Backlund 2014-04-19 17:08:01 CEST
Switched mga3 to vbox 4.3 branch as the 4.2 one has issues...:

SRPMS:
kmod-vboxadditions-4.3.10-1.mga3.src.rpm
kmod-virtualbox-4.3.10-1.mga3.src.rpm
virtualbox-4.3.10-1.mga3.src.rpm

i586:
dkms-vboxadditions-4.3.10-1.mga3.noarch.rpm
dkms-virtualbox-4.3.10-1.mga3.noarch.rpm
python-virtualbox-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-3.10.28-desktop586-1.mga3-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-desktop586-latest-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-desktop-latest-4.3.10-1.mga3.i586.rpm
vboxadditions-kernel-server-latest-4.3.10-1.mga3.i586.rpm
virtualbox-4.3.10-1.mga3.i586.rpm
virtualbox-devel-4.3.10-1.mga3.i586.rpm
virtualbox-guest-additions-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-desktop586-1.mga3-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-desktop586-latest-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-desktop-latest-4.3.10-1.mga3.i586.rpm
virtualbox-kernel-server-latest-4.3.10-1.mga3.i586.rpm
x11-driver-video-vboxvideo-4.3.10-1.mga3.i586.rpm

x86_64:
dkms-vboxadditions-4.3.10-1.mga3.noarch.rpm
dkms-virtualbox-4.3.10-1.mga3.noarch.rpm
python-virtualbox-4.3.10-1.mga3.x86_64.rpm
vboxadditions-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.x86_64.rpm
vboxadditions-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.3.10-1.mga3.x86_64.rpm
vboxadditions-kernel-server-latest-4.3.10-1.mga3.x86_64.rpm
virtualbox-4.3.10-1.mga3.x86_64.rpm
virtualbox-devel-4.3.10-1.mga3.x86_64.rpm
virtualbox-guest-additions-4.3.10-1.mga3.x86_64.rpm
virtualbox-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.x86_64.rpm
virtualbox-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.x86_64.rpm
virtualbox-kernel-desktop-latest-4.3.10-1.mga3.x86_64.rpm
virtualbox-kernel-server-latest-4.3.10-1.mga3.x86_64.rpm
x11-driver-video-vboxvideo-4.3.10-1.mga3.x86_64.rpm
Comment 26 user7 2014-04-19 17:15:42 CEST
cleared whiteboard
Comment 27 David Walser 2014-04-19 17:41:35 CEST
Now we have for this update:
CVE-2013-5892
CVE-2014-0404
CVE-2014-0405
CVE-2014-0406
CVE-2014-0407
CVE-2014-0981
CVE-2014-0983
Comment 28 Thomas Backlund 2014-04-19 17:43:13 CEST
Updated advisory:

Updated virtualbox packages fixes multiple vulnerabilities:

Multiple vulnerabilities in the Oracle VM VirtualBox component in Oracle
Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and
4.3.4 allows local users to affect integrity and availability via unknown
vectors related to Core (CVE-2013-5892, CVE-2014-0404, CVE-2014-0405,
CVE-2014-0406, CVE-2014-0407).

VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x
before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before
4.3.8, when using 3D Acceleration allows local guest OS users to execute
arbitrary code on the Chromium server via crafted Chromium network pointer
in a CR_MESSAGE_READBACK or CR_MESSAGE_WRITEBACK message to the
VBoxSharedCrOpenGL service, which triggers an arbitrary pointer
dereference and memory corruption (CVE-2014-0981).

Multiple array index errors in programs that are automatically generated by
VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle
VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D
Acceleration, allow local guest OS users to execute arbitrary code on the
Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted
index, which are not properly handled (CVE-2014-0983).

The virtualbox packages has been updated to 4.3.10 maintenance release that
resolves theese issues and other upstream reported issues (for more info
check the referenced changelog).

This update also resolves the following:
- load virtualbox modules on install (mga#8826)
- missing GUI translations (mga#12578)

References:
http://security.gentoo.org/glsa/glsa-201401-13.xml
https://www.debian.org/security/2014/dsa-2904.en.html
https://www.virtualbox.org/wiki/Changelog
Comment 29 William Kenney 2014-04-20 00:55:51 CEST
On real hardware, M3, KDE, 32-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.16-1.mga3.i586 is already installed

Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client
Live-CD is a little easier on my test box but still very slow.

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.10-1.mga3.i586 is already installed

Virtualbox runs M4 i586 Live-CD iso as a client
Live-CD is a little easier on my test box but still very slow.

Note: Although this solution works at least on my test
platform noted below it is extremely slow.

Test platform:
Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
GigaByte  GA-81915G Pro F4  i915G  LGA 775  MoBo
 Marvel Yukon 88E8001 Gigabit LAN
 Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel)
 Intel Graphics Media Accelerator 900 (Intel 82915G)
Kingston 4GB (2 x 2GB) DDR400 PC-3200
Removable/replaceable various
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Sony CD/DVD-RW DWQ120AB2
Comment 30 William Kenney 2014-04-20 19:18:50 CEST
On real hardware, M3, KDE, 64-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.2.16-1.mga3.i586 is already installed

Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.10-1.mga3.x86_64 is already installed

Virtualbox runs M4 i586 Live-CD iso as a client

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Removable/replaceable various HD's
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Comment 31 David Walser 2014-04-20 19:30:31 CEST
Works perfectly for me, Mageia 3 i586, both on the guest side and the host side.

This can be validated once the Mageia 4 update is also validated and the advisories are uploaded.
Comment 32 William Kenney 2014-04-20 19:41:43 CEST
For me this one looks good to go David.
Comment 33 Thomas Backlund 2014-04-20 20:58:24 CEST
Advisory added, validating and pushing:

http://advisories.mageia.org/MGASA-2014-0184.html

Note You need to log in before you can comment on or make changes to this bug.