Advisory:
Updated virtualbox packages fixes security and other bugs.

This update provides virtualbox 5.0.20 maintenance release, and fixes
the following security issue:

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.18 allows local users to affect confidentiality, integrity, and availability via vectors related to Core.
(CVE-2016-0678)

For other fixes in this update, see the referenced changelog.

References:
https://www.virtualbox.org/wiki/Changelog



SRPMS:
kmod-virtualbox-5.0.20-1.mga5.src.rpm
kmod-virtualbox-5.0.20-2.mga5.src.rpm
virtualbox-5.0.20-1.mga5.src.rpm

i586:
dkms-vboxadditions-5.0.20-1.mga5.noarch.rpm
dkms-virtualbox-5.0.20-1.mga5.noarch.rpm
python-virtualbox-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-4.1.15-desktop-2.mga5-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-4.1.15-desktop586-2.mga5-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-4.1.15-server-2.mga5-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.0.20-1.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.0.20-1.mga5.i586.rpm
virtualbox-5.0.20-1.mga5.i586.rpm
virtualbox-devel-5.0.20-1.mga5.i586.rpm
virtualbox-guest-additions-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-4.1.15-desktop-2.mga5-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-4.1.15-desktop586-2.mga5-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-4.1.15-server-2.mga5-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.0.20-1.mga5.i586.rpm
virtualbox-kernel-server-latest-5.0.20-1.mga5.i586.rpm
x11-driver-video-vboxvideo-5.0.20-1.mga5.i586.rpm

x86_64:
dkms-vboxadditions-5.0.20-1.mga5.noarch.rpm
dkms-virtualbox-5.0.20-1.mga5.noarch.rpm
python-virtualbox-5.0.20-1.mga5.x86_64.rpm
vboxadditions-kernel-4.1.15-desktop-2.mga5-5.0.20-1.mga5.x86_64.rpm
vboxadditions-kernel-4.1.15-server-2.mga5-5.0.20-1.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.0.20-1.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.0.20-1.mga5.x86_64.rpm
virtualbox-5.0.20-1.mga5.x86_64.rpm
virtualbox-devel-5.0.20-1.mga5.x86_64.rpm
virtualbox-guest-additions-5.0.20-1.mga5.x86_64.rpm
virtualbox-kernel-4.1.15-desktop-2.mga5-5.0.20-1.mga5.x86_64.rpm
virtualbox-kernel-4.1.15-server-2.mga5-5.0.20-1.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.0.20-1.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.0.20-1.mga5.x86_64.rpm
x11-driver-video-vboxvideo-5.0.20-1.mga5.x86_64.rpm

Assignee: tmb => qa-bugs

Typo in SRPMS, should be:

SRPMS:
kmod-vboxadditions-5.0.20-1.mga5.src.rpm
kmod-virtualbox-5.0.20-1.mga5.src.rpm
virtualbox-5.0.20-1.mga5.src.rpm

CC: (none) => tmb

Note: These packages should work with kernel 4.1.15

The virtualbox-kernel-desktop-latest requires kernel 4.4.9 Thomas.

To satisfy dependencies, the following package(s) also need to be installed:

- btrfs-progs-4.4.1-1.mga5.x86_64
- dracut-038-21.mga5.x86_64
- kernel-desktop-4.4.9-1.mga5-1-1.mga5.x86_64
- kernel-firmware-20160409-1.mga5.noarch
- lib64btrfs0-4.4.1-1.mga5.x86_64
- virtualbox-kernel-4.4.9-desktop-1.mga5-5.0.20-2.mga5.x86_64

Whiteboard: (none) => feedback

That's because the builds are done for both 4.1.15-2 and 4.4.9-1 at the same time, so you need to be specific and install 

virtualbox-kernel-desktop-latest-5.0.20-1.mga5

(note the .1.mga5 for 4.1.15-2 and .2.mga5 for 4.4.9-1)

Sorry for not being more specific about this

Whiteboard: feedback => (none)

That makes things difficult :\ Confirmed though. Two versions in testing at once.

# urpmq --requires --media Testing virtualbox-kernel-desktop-latest    

virtualbox-kernel-desktop-latest: virtualbox-kernel-4.4.9-desktop-1.mga5[== 5.0.20-2.mga5]
virtualbox-kernel-desktop-latest: virtualbox-kernel-4.1.15-desktop-2.mga5[== 5.0.20-1.mga5]

Testing mga5 64

It's not possible to use MageiaUpdate to install these packages, instead use..

# urpmi virtualbox-kernel-desktop-latest-5.0.20-1.mga5 vboxadditions-kernel-desktop-latest-5.0.20-1.mga5
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  vboxadditions-kernel-4.1.15-d> 5.0.20       1.mga5        x86_64  
  vboxadditions-kernel-desktop-> 5.0.20       1.mga5        x86_64  
  virtualbox                     5.0.20       1.mga5        x86_64  
  virtualbox-kernel-4.1.15-desk> 5.0.20       1.mga5        x86_64  
  virtualbox-kernel-desktop-lat> 5.0.20       1.mga5        x86_64  
177KB of additional disk space will be used.
25MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) y

Whiteboard: (none) => has_procedure

Installed the updated packages (both kernel and virtualbox ones) on a Mageia 5 x86_64 host and Mageia 5 i586 VM.  Now X won't start in the VM and plymouth-quit-wait.service fails.  The console during boot starts at a small size (which is normal), then once the kernel starts loading expands to its correct size, but now during the boot shrinks back to a smaller size, which is also abnormal.  I tried regenerating the initrd again, but that didn't help.

Installed the appropriate vbox and server kernel updates, including nvidia 340 packages, in a Mageia 5 x86_64 host and guest. 

All seems to be working as expected.

CC: (none) => andrewsfarm

Same host as Comment 9, i586 Mageia 5 guest. All seems to be as it should be.

Same hardware as Comment 9, 32-bit install, virtualbox and 4.4.9 server kernel updates done at the same time.

All appears to have been successful.

(In reply to David Walser from comment #8)
> Installed the updated packages (both kernel and virtualbox ones) on a Mageia
> 5 x86_64 host and Mageia 5 i586 VM.  Now X won't start in the VM and
> plymouth-quit-wait.service fails.  The console during boot starts at a small
> size (which is normal), then once the kernel starts loading expands to its
> correct size, but now during the boot shrinks back to a smaller size, which
> is also abnormal.  I tried regenerating the initrd again, but that didn't
> help.

Same behavior on my Mageia 5 i586 VM at home, console gets smaller during the boot process and X doesn't start.  This is definitely broken.

VM at work is using the kmod packages and VM at home is using dkms packages.

Whiteboard: has_procedure => has_procedure feedback

Note that the issue presents itself on either kernel (4.1.15 or 4.4.9).  It also appears that the console shrinking happens at the moment the VirtualBox kernel modules load in the VM.

(In reply to David Walser from comment #13)
> Note that the issue presents itself on either kernel (4.1.15 or 4.4.9).  It
> also appears that the console shrinking happens at the moment the VirtualBox
> kernel modules load in the VM.

Yeah, since 5.0.18 upstream virtualbox is trying to fix behaviour to improve acceleration / play nice with system mesa... but it's still WIP apparently...

Do you have any /etc/X11/xorg.conf on the affected vm?

If so, can you rename it / move out of the way and restart?

Does it change anything ?

Renaming xorg.conf doesn't change anything.

Hm, vbox upstream suggests to downgrade additions/vboxvideo to 5.0.16 to see if that restores functions (while the rest is still 5.0.20)

(In reply to Thomas Backlund from comment #16)
> Hm, vbox upstream suggests to downgrade additions/vboxvideo to 5.0.16 to see
> if that restores functions (while the rest is still 5.0.20)

In other words, that means downgrading *all* of the relevant packages in the guest, so yes, of course that fixes it.  If using the kmod packages (as I am in the VM at work) it also means going back to kernel 4.1.15.  I'm sure using dkms with 5.0.16 and kernel 4.4.9 would be fine too, clearly the guest side of VirtualBox 5.0.20 is broken.

Assigning Thomas til it's ready.

CC: (none) => qa-bugs
Assignee: qa-bugs => tmb
Whiteboard: has_procedure feedback => has_procedure

OpenSuSE has issued an advisory for this today (June 1):
https://lists.opensuse.org/opensuse-updates/2016-06/msg00002.html

Summary: virtualbox new security issue CVE-2016-0678 (+ kmod update for kernel 4.1.15) => virtualbox new security issue CVE-2016-0678

With the host upgraded to kernel 4.4.13, virtualbox/dkms-virtualbox 5.0.20 on the host, and kernel 4.4.9 and virtualbox-guest-additions/dkms-vboxadditions/x11-driver-video-vboxvideo 5.0.20 in my Mageia 5 VM at home, everything, even the GUI is working now.

I'll have to confirm this on my VM at work where I first noticed the GUI problem, but I have seen reports that removing /etc/X11/xorg.conf can fix that too.

I think we may be able to move forward with this and release it.

Confirmed it's working again on my VM at work.  I think we can rebuild the 5.0.20 update and push it now.

Yep, that was always the plan to try again as soon as 4.4. series kernels got pushed...

I've just verified that Mageia 6 -sta1 live isos works with 5.0.20 host...

so new rpms for test:


SRPMS:
kmod-vboxadditions-5.0.20-3.mga5.src.rpm
kmod-virtualbox-5.0.20-3.mga5.src.rpm
virtualbox-5.0.20-1.1.mga5.src.rpm


i586:
dkms-vboxadditions-5.0.20-1.1.mga5.noarch.rpm
dkms-virtualbox-5.0.20-1.1.mga5.noarch.rpm
python-virtualbox-5.0.20-1.1.mga5.i586.rpm
vboxadditions-kernel-4.4.13-desktop-1.mga5-5.0.20-3.mga5.i586.rpm
vboxadditions-kernel-4.4.13-desktop586-1.mga5-5.0.20-3.mga5.i586.rpm
vboxadditions-kernel-4.4.13-server-1.mga5-5.0.20-3.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.0.20-3.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.0.20-3.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.0.20-3.mga5.i586.rpm
virtualbox-5.0.20-1.1.mga5.i586.rpm
virtualbox-devel-5.0.20-1.1.mga5.i586.rpm
virtualbox-guest-additions-5.0.20-1.1.mga5.i586.rpm
virtualbox-kernel-4.4.13-desktop-1.mga5-5.0.20-3.mga5.i586.rpm
virtualbox-kernel-4.4.13-desktop586-1.mga5-5.0.20-3.mga5.i586.rpm
virtualbox-kernel-4.4.13-server-1.mga5-5.0.20-3.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.0.20-3.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.0.20-3.mga5.i586.rpm
virtualbox-kernel-server-latest-5.0.20-3.mga5.i586.rpm
x11-driver-video-vboxvideo-5.0.20-1.1.mga5.i586.rpm



x86_64:
dkms-vboxadditions-5.0.20-1.1.mga5.noarch.rpm
dkms-virtualbox-5.0.20-1.1.mga5.noarch.rpm
python-virtualbox-5.0.20-1.1.mga5.x86_64.rpm
vboxadditions-kernel-4.4.13-desktop-1.mga5-5.0.20-3.mga5.x86_64.rpm
vboxadditions-kernel-4.4.13-server-1.mga5-5.0.20-3.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.0.20-3.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.0.20-3.mga5.x86_64.rpm
virtualbox-5.0.20-1.1.mga5.x86_64.rpm
virtualbox-devel-5.0.20-1.1.mga5.x86_64.rpm
virtualbox-guest-additions-5.0.20-1.1.mga5.x86_64.rpm
virtualbox-kernel-4.4.13-desktop-1.mga5-5.0.20-3.mga5.x86_64.rpm
virtualbox-kernel-4.4.13-server-1.mga5-5.0.20-3.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.0.20-3.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.0.20-3.mga5.x86_64.rpm
x11-driver-video-vboxvideo-5.0.20-1.1.mga5.x86_64.rpm

Assignee: tmb => qa-bugs

Tested fine at work on Mageia 5 x86_64.  Will test at home on i586 hopefully tomorrow.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

On real hardware, M5, KDE, 64-bit

Package(s) under test:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
nvidia-current-kernel-desktop-latest

default install of:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
nvidia-current-kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost 4.4.13-desktop-1.mga5 #1 SMP Fri Jun 10 12:16:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.13-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.0.16-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.0.16-6.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.0.16-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.0.16-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.0.16-6.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.0.16-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nvidia-current-kernel-desktop-latest
Package nvidia-current-kernel-desktop-latest-352.79-10.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia
        Kernel modules: nvidiafb, nouveau, nvidia_current

Created clients:
M5 i586 Gnome Live-CD runs as a Vbox client. Screen sizes are correct. Sound ok
M5 i586 KDE Live-CD installed, updates and runs as a Vbox client. Screen sizes are correct. Sound ok

install from updates_testing:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
nvidia-current-kernel-desktop-latest
from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 4.4.13-desktop-1.mga5 #1 SMP Fri Jun 10 12:16:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.13-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.0.20-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.0.20-3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.0.20-1.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.0.20-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.0.20-3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.0.20-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nvidia-current-kernel-desktop-latest
Package nvidia-current-kernel-desktop-latest-352.79-10.mga5.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia
        Kernel modules: nvidiafb, nouveau, nvidia_current

Clients created Pre-update:
M5 i586 Gnome Live-CD runs as a Vbox client. Screen sizes are correct. Sound ok
M5 i586 KDE Live-CD runs as a Vbox client. Screen sizes are correct. Sound ok

Clients created Post-update:
M5 x86_64 Gnome Live-DVD runs as a Vbox client. Screen sizes are correct. Sound ok
M5 x86_64 KDE CI installed, updates and runs as a Vbox client. Screen sizes are correct. Sound ok

Vbox extentions work pre and post updates.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver

CC: (none) => wilcal.int

Works fine at home too, Mageia 5 i586 guest and host.

At work I have just about every OS imaginable as guests, so this can be validated.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Works well here, too. Guest additions installed in 32-bit and 64-bit Mageia 5 guests with no problems. Shared folders continued to be shared.

XP guest booted successfully, and scolded me for my anti-virus being out-of-date, while my anti-virus reported that my system was secure. In short, everything perfectly normal.

Validating to get it off the list.
Advisory to follow.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

advisory added

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0226.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED