Debian has issued an advisory on April 15: https://www.debian.org/security/2014/dsa-2904 The issues were fixed upstream in 4.3.8 (currently in Cauldron) and 4.2.24, according to the CVE entries. Debian has updated their 4.3 to 4.3.10. Reproducible: Steps to Reproduce:
Blocks: (none) => 12384Whiteboard: (none) => MGA3TOO
Cauldron updated to 4.3.10 mga3 updated to 4.3.10 too as the 4.2 branch is problematic, and is tracked in bug 12384 mga4 updated to 4.3.10: SRPMS: kmod-vboxadditions-4.3.10-1.mga4.src.rpm kmod-virtualbox-4.3.10-1.mga4.src.rpm virtualbox-4.3.10-1.1.mga4.src.rpm i586: dkms-vboxadditions-4.3.10-1.1.mga4.noarch.rpm dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm python-virtualbox-4.3.10-1.1.mga4.i586.rpm vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.i586.rpm vboxadditions-kernel-3.12.13-desktop586-2.mga4-4.3.10-1.mga4.i586.rpm vboxadditions-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.i586.rpm vboxadditions-kernel-desktop586-latest-4.3.10-1.mga4.i586.rpm vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.i586.rpm vboxadditions-kernel-server-latest-4.3.10-1.mga4.i586.rpm virtualbox-4.3.10-1.1.mga4.i586.rpm virtualbox-devel-4.3.10-1.1.mga4.i586.rpm virtualbox-guest-additions-4.3.10-1.1.mga4.i586.rpm virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.i586.rpm virtualbox-kernel-3.12.13-desktop586-2.mga4-4.3.10-1.mga4.i586.rpm virtualbox-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.i586.rpm virtualbox-kernel-desktop586-latest-4.3.10-1.mga4.i586.rpm virtualbox-kernel-desktop-latest-4.3.10-1.mga4.i586.rpm virtualbox-kernel-server-latest-4.3.10-1.mga4.i586.rpm x11-driver-video-vboxvideo-4.3.10-1.1.mga4.i586.rpm x86_64: dkms-vboxadditions-4.3.10-1.1.mga4.noarch.rpm dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm python-virtualbox-4.3.10-1.1.mga4.x86_64.rpm vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm vboxadditions-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.x86_64.rpm vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm vboxadditions-kernel-server-latest-4.3.10-1.mga4.x86_64.rpm virtualbox-4.3.10-1.1.mga4.x86_64.rpm virtualbox-devel-4.3.10-1.1.mga4.x86_64.rpm virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64.rpm virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm virtualbox-kernel-3.12.13-server-2.mga4-4.3.10-1.mga4.x86_64.rpm virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm virtualbox-kernel-server-latest-4.3.10-1.mga4.x86_64.rpm x11-driver-video-vboxvideo-4.3.10-1.1.mga4.x86_64.rpm
Assignee: tmb => qa-bugs
CC: (none) => tmbHardware: i586 => AllWhiteboard: MGA3TOO => (none)
Advisory: Updated virtualbox packages fixes multiple vulnerabilities: VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before 4.3.8, when using 3D Acceleration allows local guest OS users to execute arbitrary code on the Chromium server via crafted Chromium network pointer in a CR_MESSAGE_READBACK or CR_MESSAGE_WRITEBACK message to the VBoxSharedCrOpenGL service, which triggers an arbitrary pointer dereference and memory corruption (CVE-2014-0981). Multiple array index errors in programs that are automatically generated by VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D Acceleration, allow local guest OS users to execute arbitrary code on the Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted index, which are not properly handled (CVE-2014-0983). The virtualbox packages has been updated to 4.3.10 maintenance release that resolves theese issues and other upstream reported issues (for more info check the referenced changelog). This update also resolves the following: - load virtualbox modules on install (mga#8826) - missing GUI translations (mga#12578) References: https://www.debian.org/security/2014/dsa-2904.en.html https://www.virtualbox.org/wiki/Changelog
On real hardware, M4, KDE, 32-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.6-1.mga4.i586 is already installed Virtualbox installs correctly and runs M4 i586 Live-DVD iso as a client install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.10-1.1.mga4.i586 is already installed Virtualbox installs correctly and runs M4 i586 Live-DVD iso as a client Note: Although this solution works at least on my test platform noted below it is extremely slow. Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G Pro F4 i915G LGA 775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) Kingston 4GB (2 x 2GB) DDR400 PC-3200 Removable/replaceable various Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray Sony CD/DVD-RW DWQ120AB2
CC: (none) => wilcal.int
Hi, On Mageia 4 KDE 64bits real hardwarer : # urpmi virtualbox Le paquetage virtualbox-4.3.6-1.mga4.x86_64 est déjà installé Enable testing and install virtualbox : install : - virtualbox-4.3.10-1.1.mga4.x86_64 - virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64 - virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64 [reboot computer] Try install virtualbox module 4.3.6 : http://www.toopix.eu/userfiles/0a40fffb864a1c674900b609c8897748.jpeg # urpmi virtualbox Le paquetage virtualbox-4.3.10-1.1.mga4.x86_64 est déjà installé Run fine but there are many error when i start virtualbox by Konsole: "Qt WARNING: libpng warning: iCCP: known incorrect sRGB profile"
CC: (none) => aranud
Oups sorry, the message about module return : "Exit bad status"
Works fine on the guest side for me, Mageia 4 i586. I don't have a Mageia 4 host to test it right now, but William tested that in Comment 3. This can be validated once it's tested on x86_64 and the advisory is uploaded.
Whiteboard: (none) => MGA4-32-OK
Tested mga4_64, Testing complete for virtualbox-4.3.10-1.1.mga4, Ok for me and nothing to report. No regression found. Also I can confirm that the bug #12578 is now fixed. Tested on a real hardware: dkms-virtualbox-4.3.10-1.1.mga4.noarch.rpm vboxadditions-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm vboxadditions-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm virtualbox-4.3.10-1.1.mga4.x86_64.rpm virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64.rpm virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.10-1.mga4.x86_64.rpm virtualbox-kernel-desktop-latest-4.3.10-1.mga4.x86_64.rpm x11-driver-video-vboxvideo-4.3.10-1.1.mga4.x86_64.rpm
CC: (none) => geiger.david68210Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
advisory added, validating and pushing: http://advisories.mageia.org/MGASA-2014-0185.html
Keywords: (none) => validated_updateStatus: NEW => RESOLVEDResolution: (none) => FIXEDWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
On real hardware, M4, KDE, 64-bit Package(s) under test: virtualbox default install of virtualbox reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.6-1.mga4.x86_64 is already installed Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client install virtualbox from updates_testing reboot system [root@localhost wilcal]# urpmi virtualbox Package virtualbox-4.3.10-1.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi virtualbox-guest-additions Package virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 is already installed Virtualbox installs correctly and runs M4 i586 Live-CD iso as a client Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Removable/replaceable various HD's Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray