Bug 13225 - virtualbox new security issues CVE-2014-0981 and CVE-2014-0983
Summary: virtualbox new security issues CVE-2014-0981 and CVE-2014-0983
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/595033/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks: 12384
  Show dependency treegraph
 
Reported: 2014-04-17 00:18 CEST by David Walser
Modified: 2014-04-20 21:14 CEST (History)
5 users (show)

See Also:
Source RPM: virtualbox-4.3.6-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-17 00:18:57 CEST
Debian has issued an advisory on April 15:
https://www.debian.org/security/2014/dsa-2904

The issues were fixed upstream in 4.3.8 (currently in Cauldron) and 4.2.24, according to the CVE entries.  Debian has updated their 4.3 to 4.3.10.

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-17 00:19:05 CEST

Blocks: (none) => 12384
Whiteboard: (none) => MGA3TOO

Comment 1 Thomas Backlund 2014-04-19 17:08:10 CEST
Cauldron updated to 4.3.10

mga3 updated to 4.3.10 too as the 4.2 branch is problematic, and is tracked in bug 12384

mga4 updated to 4.3.10:

SRPMS:
kmod-vboxadditions-4.3.10-1.mga4.src.rpm
kmod-virtualbox-4.3.10-1.mga4.src.rpm
virtualbox-4.3.10-1.1.mga4.src.rpm

i586:
dkms-vboxadditions-4.3.10-1.1.mga4.noarch.rpm
dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm
python-virtualbox-4.3.10-1.1.mga4.i586.rpm
vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.i586.rpm
vboxadditions-kernel-3.12.13-desktop586-2.mga4-4.3.10-1.mga4.i586.rpm
vboxadditions-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.i586.rpm
vboxadditions-kernel-desktop586-latest-4.3.10-1.mga4.i586.rpm
vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.i586.rpm
vboxadditions-kernel-server-latest-4.3.10-1.mga4.i586.rpm
virtualbox-4.3.10-1.1.mga4.i586.rpm
virtualbox-devel-4.3.10-1.1.mga4.i586.rpm
virtualbox-guest-additions-4.3.10-1.1.mga4.i586.rpm
virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.i586.rpm
virtualbox-kernel-3.12.13-desktop586-2.mga4-4.3.10-1.mga4.i586.rpm
virtualbox-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.i586.rpm
virtualbox-kernel-desktop586-latest-4.3.10-1.mga4.i586.rpm
virtualbox-kernel-desktop-latest-4.3.10-1.mga4.i586.rpm
virtualbox-kernel-server-latest-4.3.10-1.mga4.i586.rpm
x11-driver-video-vboxvideo-4.3.10-1.1.mga4.i586.rpm

x86_64:
dkms-vboxadditions-4.3.10-1.1.mga4.noarch.rpm
dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm
python-virtualbox-4.3.10-1.1.mga4.x86_64.rpm
vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm
vboxadditions-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm
vboxadditions-kernel-server-latest-4.3.10-1.mga4.x86_64.rpm
virtualbox-4.3.10-1.1.mga4.x86_64.rpm
virtualbox-devel-4.3.10-1.1.mga4.x86_64.rpm
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64.rpm
virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm
virtualbox-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.x86_64.rpm
virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm
virtualbox-kernel-server-latest-4.3.10-1.mga4.x86_64.rpm
x11-driver-video-vboxvideo-4.3.10-1.1.mga4.x86_64.rpm

Assignee: tmb => qa-bugs

Thomas Backlund 2014-04-19 17:13:47 CEST

CC: (none) => tmb
Hardware: i586 => All
Whiteboard: MGA3TOO => (none)

Comment 2 Thomas Backlund 2014-04-19 17:43:58 CEST
Advisory:
Updated virtualbox packages fixes multiple vulnerabilities:

VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x
before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before
4.3.8, when using 3D Acceleration allows local guest OS users to execute
arbitrary code on the Chromium server via crafted Chromium network pointer
in a CR_MESSAGE_READBACK or CR_MESSAGE_WRITEBACK message to the
VBoxSharedCrOpenGL service, which triggers an arbitrary pointer
dereference and memory corruption (CVE-2014-0981).

Multiple array index errors in programs that are automatically generated by
VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle
VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D
Acceleration, allow local guest OS users to execute arbitrary code on the
Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted
index, which are not properly handled (CVE-2014-0983).

The virtualbox packages has been updated to 4.3.10 maintenance release that
resolves theese issues and other upstream reported issues (for more info
check the referenced changelog).

This update also resolves the following:
- load virtualbox modules on install (mga#8826)
- missing GUI translations (mga#12578)

References:
https://www.debian.org/security/2014/dsa-2904.en.html
https://www.virtualbox.org/wiki/Changelog
Comment 3 William Kenney 2014-04-19 21:40:15 CEST
On real hardware, M4, KDE, 32-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.6-1.mga4.i586 is already installed

Virtualbox installs correctly and runs M4 i586 Live-DVD iso as a client

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.10-1.1.mga4.i586 is already installed

Virtualbox installs correctly and runs M4 i586 Live-DVD iso as a client

Note: Although this solution works at least on my test
platform noted below it is extremely slow.

Test platform:
Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
GigaByte  GA-81915G Pro F4  i915G  LGA 775  MoBo
 Marvel Yukon 88E8001 Gigabit LAN
 Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel)
 Intel Graphics Media Accelerator 900 (Intel 82915G)
Kingston 4GB (2 x 2GB) DDR400 PC-3200
Removable/replaceable various
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Sony CD/DVD-RW DWQ120AB2

CC: (none) => wilcal.int

Comment 4 Arnaud Vacquier 2014-04-20 00:02:17 CEST
Hi,

On Mageia 4 KDE 64bits real hardwarer :

# urpmi virtualbox
Le paquetage virtualbox-4.3.6-1.mga4.x86_64 est déjà installé


Enable testing and install virtualbox :
install :
- virtualbox-4.3.10-1.1.mga4.x86_64
- virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64
- virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64

[reboot computer]

Try install virtualbox module 4.3.6 :
http://www.toopix.eu/userfiles/0a40fffb864a1c674900b609c8897748.jpeg

# urpmi virtualbox
Le paquetage virtualbox-4.3.10-1.1.mga4.x86_64 est déjà installé

Run fine but there are many error when i start virtualbox by Konsole:
"Qt WARNING: libpng warning: iCCP: known incorrect sRGB profile"

CC: (none) => aranud

Comment 5 Arnaud Vacquier 2014-04-20 00:04:13 CEST
Oups sorry, the message about module return :
"Exit bad status"
Comment 6 David Walser 2014-04-20 19:33:21 CEST
Works fine on the guest side for me, Mageia 4 i586.  I don't have a Mageia 4 host to test it right now, but William tested that in Comment 3.

This can be validated once it's tested on x86_64 and the advisory is uploaded.

Whiteboard: (none) => MGA4-32-OK

Comment 7 David GEIGER 2014-04-20 20:17:48 CEST
Tested mga4_64,

Testing complete for virtualbox-4.3.10-1.1.mga4, Ok for me and nothing to report.
No regression found.

Also I can confirm that the bug #12578 is now fixed.


Tested on a real hardware:

dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm
vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm
virtualbox-4.3.10-1.1.mga4.x86_64.rpm
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64.rpm
virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm
virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm
x11-driver-video-vboxvideo-4.3.10-1.1.mga4.x86_64.rpm

CC: (none) => geiger.david68210
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 8 Thomas Backlund 2014-04-20 20:59:15 CEST
advisory added, validating and pushing:

http://advisories.mageia.org/MGASA-2014-0185.html

Keywords: (none) => validated_update
Status: NEW => RESOLVED
Resolution: (none) => FIXED
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 9 William Kenney 2014-04-20 21:14:32 CEST
On real hardware, M4, KDE, 64-bit

Package(s) under test:
virtualbox

default install of virtualbox
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.6-1.mga4.x86_64 is already installed

Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client

install virtualbox from updates_testing
reboot system

[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-4.3.10-1.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 is already installed

Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Removable/replaceable various HD's
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray

Note You need to log in before you can comment on or make changes to this bug.