Gentoo has issued an advisory on January 20: http://security.gentoo.org/glsa/glsa-201401-13.xml The issues are also fixed in 4.3.6, which we already have in Cauldron. Reproducible: Steps to Reproduce:
Blocks: (none) => 8826
Thomas, what relationship does Bug 8826 have to this one? That one is for Mageia 4 and Cauldron, and this one is for Mageia 3.
It's just a reminder for me to fix it for all 3
Advisory (from gentoo): Multiple vulnerabilities have been found in VirtualBox, allowing local attackers to escalate their privileges or cause a Denial of Service condition. CVE-2012-3221 CVE-2013-5892 CVE-2014-0404 CVE-2014-0405 CVE-2014-0406 CVE-2014-0407 SRPMS: kmod-vboxadditions-4.2.22-1.mga3.src.rpm kmod-virtualbox-4.2.22-1.mga3.src.rpm virtualbox-4.2.22-1.mga3.src.rpm i586: dkms-vboxadditions-4.2.22-1.mga3.noarch.rpm dkms-virtualbox-4.2.22-1.mga3.noarch.rpm vboxadditions-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.i586.rpm vboxadditions-kernel-3.10.28-desktop586-1.mga3-4.2.22-1.mga3.i586.rpm vboxadditions-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.i586.rpm vboxadditions-kernel-desktop586-latest-4.2.22-1.mga3.i586.rpm vboxadditions-kernel-desktop-latest-4.2.22-1.mga3.i586.rpm vboxadditions-kernel-server-latest-4.2.22-1.mga3.i586.rpm virtualbox-4.2.22-1.mga3.i586.rpm virtualbox-devel-4.2.22-1.mga3.i586.rpm virtualbox-guest-additions-4.2.22-1.mga3.i586.rpm virtualbox-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.i586.rpm virtualbox-kernel-3.10.28-desktop586-1.mga3-4.2.22-1.mga3.i586.rpm virtualbox-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.i586.rpm virtualbox-kernel-desktop586-latest-4.2.22-1.mga3.i586.rpm virtualbox-kernel-desktop-latest-4.2.22-1.mga3.i586.rpm virtualbox-kernel-server-latest-4.2.22-1.mga3.i586.rpm x11-driver-video-vboxvideo-4.2.22-1.mga3.i586.rpm x86_64: dkms-vboxadditions-4.2.22-1.mga3.noarch.rpm dkms-virtualbox-4.2.22-1.mga3.noarch.rpm vboxadditions-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.x86_64.rpm vboxadditions-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.x86_64.rpm vboxadditions-kernel-desktop-latest-4.2.22-1.mga3.x86_64.rpm vboxadditions-kernel-server-latest-4.2.22-1.mga3.x86_64.rpm virtualbox-4.2.22-1.mga3.x86_64.rpm virtualbox-devel-4.2.22-1.mga3.x86_64.rpm virtualbox-guest-additions-4.2.22-1.mga3.x86_64.rpm virtualbox-kernel-3.10.28-desktop-1.mga3-4.2.22-1.mga3.x86_64.rpm virtualbox-kernel-3.10.28-server-1.mga3-4.2.22-1.mga3.x86_64.rpm virtualbox-kernel-desktop-latest-4.2.22-1.mga3.x86_64.rpm virtualbox-kernel-server-latest-4.2.22-1.mga3.x86_64.rpm x11-driver-video-vboxvideo-4.2.22-1.mga3.x86_64.rpm
Assignee: tmb => qa-bugsSource RPM: virtualbox-4.2.16-1.mga3.src.rpm => virtualbox-4.2.22-1.mga3.src.rpm
CVE-2012-3221 is not actually relevant for this update, the others are.
David: I can test this upgrade by installing Vbox in one of my Vbox installs but the test install won't run a Guest Client Vbox. Otherwise I'm gonna have to do a complete new install on both on two real hardware, 32-bit & 64-bit, platforms. I don't think running Vbox on a 32-bit system is practical. If I remember my previous testing a Vbox in Vbox will install, and update, but wont run a Client OS. It don't like that.
CC: (none) => wilcal.int
the host part (virtualbox + virtualbox-kernel-* and dkms-virtualbox) needs to be tested on real hw, the -vboxadditions and x11 vbox driver needs to be tested in a guest
CC: (none) => tmb
(In reply to Thomas Backlund from comment #6) > the host part (virtualbox + virtualbox-kernel-* and dkms-virtualbox) needs > to be tested on real hw, the -vboxadditions and x11 vbox driver needs to be > tested in a guest Groan, if nobody does this by tomorrow California time I test both the 32 & 64 bit install and update. Cross fingers a new install of M3 updates to latest level ok. If I remember right Vbox on my 32-bit 4GB platform is pokey slow.
Currently installing mga3 on vbox on both arch's. Will complete install and add in guest additions in the morning, after the installs complete. So far so good, though!
CC: (none) => wrw105
I have also started the process of building two M3 test systems, 32 & 64 bit, on real hardware. If there are no problems I see this process completing in about 4-hours.
Just a heads-up, Bill. If your systems are as dated as mine, you'll probably want to be running lxde or some similarly lightweight desktop. KDE is painful! Got install completed on x86_64. Updating guest additions results in non-fullscreen fullscreen on my nvidia/turion laptop. Fullscreen worked OK with the old guest additions. I'm currently running mga updates on the guest mga3-64 system to see if something there might help. On i586, KDE is so slow as to be unusable. I'm hoping to be able to install lxde through a shell to complete testing there.
(In reply to Bill Wilkinson from comment #10) > Got install completed on x86_64. Updating guest additions results in > non-fullscreen fullscreen on my nvidia/turion laptop..... Note that Virtualbox on an M3 64-bit Nvidia system is unstable: https://bugs.mageia.org/show_bug.cgi?id=10670 Repeated x11 freezes with VirtualBox Guest Clients and an nVidia driver system The way this gets fixed is to move on to M4 or use the Video nouveau driver. It ain't worth going back and fixing in M3 so I changed the BUG to resolved.
On real hardware VirtualBox, M3, KDE, 32-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.16-1.mga3.i586 is already installed Boots to a working desktop, albeit slowly. Vbox runs an M3-32bit Live-DVD client. install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.22-1.mga3.i586 is already installed Boots to a working desktop, albeit slowly. Vbox runs an M3-32bit Live-DVD client even slower. IMO this is not a practical solution. Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G Pro F4 i915G LGA 775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) Kingston 4GB (2 x 2GB) DDR400 PC-3200 Maxtor DiamondMax 10 6B080M0 80GB 7200 RPM 8MB Cache SATA (removable) Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray Sony CD/DVD-RW DWQ120AB2
Whiteboard: (none) => MGA3-32-OK
64-bit should go a little quicker
Both 32 and 64 bit OK here. Nvidia issues not a problem here, slight annoyance issue with the updated guest additions, but nothing that should stop the security updates.
On real hardware VirtualBox, M3, KDE, 64-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.16-1.mga3.x86_64 is already installed Boots to a working desktop. Vbox runs an M3-32bit Live-DVD client just fine install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.22-1.mga3.x86_64 is already installed Boots to a working desktop. Vbox runs an M3-32bit Live-DVD client just fine. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, nouveau driver
Whiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OK
For me this update works fine. Lets go ahead and push it.
Validating, advisory uploaded. Please push to 3 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
Sorry, not so fast. This is exhibiting the same problems as when we previously tried to update it beyond 4.2.16. x11-driver-video-vboxvideo in the guest does not work (i586 here).
Keywords: validated_update => (none)Whiteboard: MGA3-32-OK MGA3-64-OK advisory => MGA3-64-OK advisory
Hm, seems I need to build and install a i586 mga3 system here too to test.
Note that I still have 4.2.16 on my *host* machine, I was hoping to see that the update worked correctly in my VM before updating my host.
Whiteboard: MGA3-64-OK advisory => MGA3-64-OK advisory feedbac
Whiteboard: MGA3-64-OK advisory feedbac => MGA3-64-OK advisory feedback
Confirmed problem. Running virtualbox-4.3.6-1.mga4 on an x86_64 host, with the testing updates installed on a i586 Mageia 3 guest, X fails to start with the message in /var/log/Xorg.0.log about AIGLX error: vboxvideo does not export required DRI extensions. We may need to split the update again, and only push the Mageia 4 update for now.
CC: (none) => davidwhodgins
This update is already only for Mageia 3, as the issues are fixed in the version we shipped in Mageia 4. We might need to actually find patches for the security issues :O
I just tested the 4.2.24 that tmb just built, same issue persists.
Assigning back to Thomas for now.
CC: (none) => qa-bugsAssignee: qa-bugs => tmb
Depends on: (none) => 13225
Switched mga3 to vbox 4.3 branch as the 4.2 one has issues...: SRPMS: kmod-vboxadditions-4.3.10-1.mga3.src.rpm kmod-virtualbox-4.3.10-1.mga3.src.rpm virtualbox-4.3.10-1.mga3.src.rpm i586: dkms-vboxadditions-4.3.10-1.mga3.noarch.rpm dkms-virtualbox-4.3.10-1.mga3.noarch.rpm python-virtualbox-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-3.10.28-desktop586-1.mga3-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-desktop586-latest-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-desktop-latest-4.3.10-1.mga3.i586.rpm vboxadditions-kernel-server-latest-4.3.10-1.mga3.i586.rpm virtualbox-4.3.10-1.mga3.i586.rpm virtualbox-devel-4.3.10-1.mga3.i586.rpm virtualbox-guest-additions-4.3.10-1.mga3.i586.rpm virtualbox-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.i586.rpm virtualbox-kernel-3.10.28-desktop586-1.mga3-4.3.10-1.mga3.i586.rpm virtualbox-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.i586.rpm virtualbox-kernel-desktop586-latest-4.3.10-1.mga3.i586.rpm virtualbox-kernel-desktop-latest-4.3.10-1.mga3.i586.rpm virtualbox-kernel-server-latest-4.3.10-1.mga3.i586.rpm x11-driver-video-vboxvideo-4.3.10-1.mga3.i586.rpm x86_64: dkms-vboxadditions-4.3.10-1.mga3.noarch.rpm dkms-virtualbox-4.3.10-1.mga3.noarch.rpm python-virtualbox-4.3.10-1.mga3.x86_64.rpm vboxadditions-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.x86_64.rpm vboxadditions-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.x86_64.rpm vboxadditions-kernel-desktop-latest-4.3.10-1.mga3.x86_64.rpm vboxadditions-kernel-server-latest-4.3.10-1.mga3.x86_64.rpm virtualbox-4.3.10-1.mga3.x86_64.rpm virtualbox-devel-4.3.10-1.mga3.x86_64.rpm virtualbox-guest-additions-4.3.10-1.mga3.x86_64.rpm virtualbox-kernel-3.10.28-desktop-1.mga3-4.3.10-1.mga3.x86_64.rpm virtualbox-kernel-3.10.28-server-1.mga3-4.3.10-1.mga3.x86_64.rpm virtualbox-kernel-desktop-latest-4.3.10-1.mga3.x86_64.rpm virtualbox-kernel-server-latest-4.3.10-1.mga3.x86_64.rpm x11-driver-video-vboxvideo-4.3.10-1.mga3.x86_64.rpm
Assignee: tmb => qa-bugs
cleared whiteboard
CC: (none) => wassiWhiteboard: MGA3-64-OK advisory feedback => (none)
Now we have for this update: CVE-2013-5892 CVE-2014-0404 CVE-2014-0405 CVE-2014-0406 CVE-2014-0407 CVE-2014-0981 CVE-2014-0983
Updated advisory: Updated virtualbox packages fixes multiple vulnerabilities: Multiple vulnerabilities in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core (CVE-2013-5892, CVE-2014-0404, CVE-2014-0405, CVE-2014-0406, CVE-2014-0407). VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before 4.3.8, when using 3D Acceleration allows local guest OS users to execute arbitrary code on the Chromium server via crafted Chromium network pointer in a CR_MESSAGE_READBACK or CR_MESSAGE_WRITEBACK message to the VBoxSharedCrOpenGL service, which triggers an arbitrary pointer dereference and memory corruption (CVE-2014-0981). Multiple array index errors in programs that are automatically generated by VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D Acceleration, allow local guest OS users to execute arbitrary code on the Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted index, which are not properly handled (CVE-2014-0983). The virtualbox packages has been updated to 4.3.10 maintenance release that resolves theese issues and other upstream reported issues (for more info check the referenced changelog). This update also resolves the following: - load virtualbox modules on install (mga#8826) - missing GUI translations (mga#12578) References: http://security.gentoo.org/glsa/glsa-201401-13.xml https://www.debian.org/security/2014/dsa-2904.en.html https://www.virtualbox.org/wiki/Changelog
On real hardware, M3, KDE, 32-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.16-1.mga3.i586 is already installed Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client Live-CD is a little easier on my test box but still very slow. install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.10-1.mga3.i586 is already installed Virtualbox runs M4 i586 Live-CD iso as a client Live-CD is a little easier on my test box but still very slow. Note: Although this solution works at least on my test platform noted below it is extremely slow. Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G Pro F4 i915G LGA 775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) Kingston 4GB (2 x 2GB) DDR400 PC-3200 Removable/replaceable various Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray Sony CD/DVD-RW DWQ120AB2
On real hardware, M3, KDE, 64-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.2.16-1.mga3.i586 is already installed Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.10-1.mga3.x86_64 is already installed Virtualbox runs M4 i586 Live-CD iso as a client Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Removable/replaceable various HD's Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray
Works perfectly for me, Mageia 3 i586, both on the guest side and the host side. This can be validated once the Mageia 4 update is also validated and the advisories are uploaded.
Hardware: i586 => AllSummary: virtualbox new security issues fixed in 4.2.22 => virtualbox new security issues fixed in 4.2.22 and 4.2.24Whiteboard: (none) => MGA3-32-OK MGA3-64-OK
For me this one looks good to go David.
Advisory added, validating and pushing: http://advisories.mageia.org/MGASA-2014-0184.html
Keywords: (none) => validated_updateStatus: NEW => RESOLVEDResolution: (none) => FIXEDWhiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisory