Bug 22930 - virtualbox new security issues CVE-2018-0739, CVE-2018-283[01567], CVE-2018-284[2-5], CVE-2018-2860
Summary: virtualbox new security issues CVE-2018-0739, CVE-2018-283[01567], CVE-2018-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 22657 22909
Blocks: 23075
  Show dependency treegraph
 
Reported: 2018-04-21 18:40 CEST by David Walser
Modified: 2018-05-29 21:42 CEST (History)
7 users (show)

See Also:
Source RPM: virtualbox-5.2.8-3.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 5.2.10


Attachments

Description David Walser 2018-04-21 18:40:29 CEST
The April 2018 Oracle CPU lists some security issues fixed in VirtualBox 5.2.10:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR

Mageia 5 and Mageia 6 are also affected (only 6 will be updated).
David Walser 2018-04-21 18:40:39 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Thomas Backlund 2018-04-22 21:09:11 CEST
Cauldron updated, 

Mga6 update will be pushed after the QT update mess is done

Depends on: (none) => 22657
Version: Cauldron => 6

Comment 2 David Walser 2018-04-24 22:48:58 CEST
openSUSE has issued an advisory for this today (April 24):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00065.html
David Walser 2018-05-04 08:29:08 CEST

Status comment: (none) => Fixed upstream in 5.2.10

Comment 3 David Walser 2018-05-12 21:49:41 CEST
5.2.12 is out:
https://www.virtualbox.org/wiki/Changelog
Comment 4 Thomas Backlund 2018-05-13 10:20:50 CEST
Rpms to test:

SRPMS:
virtualbox-5.2.12-1.mga6.src.rpm


i586:
dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm
dkms-virtualbox-5.2.12-1.mga6.noarch.rpm
python-virtualbox-5.2.12-1.mga6.i586.rpm
virtualbox-5.2.12-1.mga6.i586.rpm
virtualbox-devel-5.2.12-1.mga6.i586.rpm
virtualbox-guest-additions-5.2.12-1.mga6.i586.rpm
x11-driver-video-vboxvideo-5.2.12-1.mga6.i586.rpm



x86_64:
dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm
dkms-virtualbox-5.2.12-1.mga6.noarch.rpm
python-virtualbox-5.2.12-1.mga6.x86_64.rpm
virtualbox-5.2.12-1.mga6.x86_64.rpm
virtualbox-devel-5.2.12-1.mga6.x86_64.rpm
virtualbox-guest-additions-5.2.12-1.mga6.x86_64.rpm
x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64.rpm



Prebuilt kmods will b built after kernel-4.14.40 is out

Assignee: tmb => qa-bugs
Depends on: (none) => 22909

Comment 5 Morgan Leijström 2018-05-13 23:53:36 CEST
Updated to:
- dkms-virtualbox-5.2.12-1.mga6.noarch
- virtualbox-5.2.12-1.mga6.x86_64

And also retrieved and installed the extpack per https://bugs.mageia.org/show_bug.cgi?id=18962#c27


Host: my workstation i7, kernel-desktop-4.14.40-1.mga6-1-1.mga6.x86_64, Geforce GTX750 with nvidia-current 390.48-1.mga6 with CUDA & OpenCL detected OK in BOINC, LVM on LUKS, , Plasma5.12 etc

Guest: Microsoft Windows 7 pro

Simple test: windows update works, some apps, firefox...
No audio, but i dont remember if i ever tried it before - never needed it here.

CC: (none) => fri

Comment 6 Thomas Backlund 2018-05-18 19:00:53 CEST
kmods are now built, so the added packages are:

SRPMS:
kmod-vboxadditions-5.2.12-1.mga6.src.rpm
kmod-virtualbox-5.2.12-1.mga6.src.rpm



i586:
vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-server-latest-5.2.12-1.mga6.i586.rpm

virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-server-latest-5.2.12-1.mga6.i586.rpm



x86_64:
boxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm

virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm

CC: (none) => tmb

Thomas Backlund 2018-05-18 19:03:58 CEST

Whiteboard: MGA6TOO => (none)

Comment 7 Len Lawrence 2018-05-19 11:22:52 CEST
Mageia 6, x86_64

Installed the desktop version and found the transition seamless.  Booted three mga5 guests, one at a time and found no problems.  Installed a large package on one and recovered saved state on another.

CC: (none) => tarazed25

Comment 8 James Kerr 2018-05-19 15:33:43 CEST
on mga6-64 

packages installed cleanly:
- virtualbox-5.2.12-1.mga6.x86_64
- virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64

vbox re-launched normally
extension pack updated cleanly


on mga6-32 client:

packages installed cleanly:
- vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586
- vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586
- virtualbox-guest-additions-5.2.12-1.mga6.i586
- x11-driver-video-vboxvideo-5.2.12-1.mga6.i586

client re-launched normally


on mga6-64 client

packages installed cleanly:
- vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64
- virtualbox-guest-additions-5.2.12-1.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64

client re-launched normally


winxp and win7 clients:
additions updated; re-started normally


this update looks good for mga6-64 on this system

CC: (none) => jim

Comment 9 Len Lawrence 2018-05-19 18:53:03 CEST
Installed this on Mageia 6, x86_64.
Host 4.14.40-desktop-1.mga6

Mageia vbox guests launched fine and behaved normally.  Upgraded the kernel in one vbox and rebooted without trouble.  Installed scheduled updates.

Leaving one 32-bit guest running for more longterm testing but at first look the update works fine.
Comment 10 Thomas Andrews 2018-05-22 17:53:49 CEST
Installed on Athlon X2 7750, 8GB, nvidia 340 graphics, atheros wifi, Plasma host system using the server kernel.

Packages installed cleanly. Downloaded and updated extension pack. Ran Windows XP guest, downloaded and inserted new guest additions. Everything looks good.

Ran a 64-bit Mageia guest that has not yet received the Grand Update. It ran fine, as far as I went with it, but I decided rather than go through the update yet again, I'll import a guest from another machine that has already had it done.

But, as far as I went, it looks good on this hardware.

CC: (none) => andrewsfarm

Comment 11 Thomas Andrews 2018-05-23 01:41:57 CEST
Updated 64-bit packages on a HP 6550b host (i3, 8GB,Intel graphics, Intel wifi), Plasma system using the 4.14.40 desktop kernel.

Packages installed cleanly. Downloaded and installed the extension pack. Ran Windows XP guest and inserted new guest additions. Also updated guest additions in both 64 and 32 bit Mageia 6 Plasma guests, along with vboxvideo driver.

Everything appears to work as it should. No problems noted at all.
Thomas Backlund 2018-05-23 09:27:53 CEST

Blocks: (none) => 23075

Comment 12 William Kenney 2018-05-24 06:26:52 CEST
On real hardware, M6, Plasma, 64-bit

Package(s) under test:
virtualbox

install from update testing:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest dkms-nvidia-current

The following 30 packages are going to be installed:

- binutils-2.25.1-7.mga6.x86_64
- dkms-2.0.19-39.mga6.noarch
- dkms-minimal-2.0.19-39.mga6.noarch
- dkms-virtualbox-5.2.12-1.mga6.noarch
- gcc-5.5.0-1.mga6.x86_64
- gcc-cpp-5.5.0-1.mga6.x86_64
- glibc-devel-2.22-28.mga6.x86_64
- isl-0.16.1-1.mga6.x86_64
- kernel-desktop-devel-4.14.40-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-4.14.43-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-latest-4.14.43-1.mga6.x86_64
- kernel-userspace-headers-4.14.43-1.mga6.x86_64
- lib64bzip2-devel-1.0.6-10.mga6.x86_64
- lib64elfutils-devel-0.169-1.mga6.x86_64
- lib64isl15-0.16.1-1.mga6.x86_64
- lib64lzma-devel-5.2.3-1.mga6.x86_64
- lib64mpc3-1.0.3-1.mga6.x86_64
- lib64ncurses-devel-6.0-8.1.mga6.x86_64
- lib64zlib-devel-1.2.11-4.1.mga6.x86_64
- libstdc++5-3.3.6-15.mga6.x86_64
- libstdc++5-devel-3.3.6-15.mga6.x86_64
- vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64
- virtualbox-5.2.12-1.mga6.x86_64
- virtualbox-doc-5.1.30-1.mga6.noarch
- virtualbox-guest-additions-5.2.12-1.mga6.x86_64
- virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64
- xrandr-1.5.0-1.mga6.x86_64

312MB of additional disk space will be used.

79MB of packages will be retrieved.

[root@localhost wilcal]# uname -a
Linux localhost 4.14.43-desktop-1.mga6 #1 SMP Wed May 23 05:30:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.14.43-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.2.12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.2.12-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.2.12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.14.43-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-nvidia-current
Package dkms-nvidia-current-390.59-1.mga6.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller (rev 06)
        Subsystem: Gigabyte Technology Co., Ltd Device d000
        Kernel driver in use: i915
        Kernel modules: i915

Mageia-6-LiveDVD-Xfce-i586-DVD.iso
md5sum: 911088471ddc24bc2d92084e19cec53
date: 7/11/17
M6 i586 Mate Live-DVD runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.

Mageia-6-LiveDVD-GNOME-x86_64-DVD.iso
md5sum: 0511e13ba72f9fc6d155702d25704e1e
date: 7/11/17
M6 x86_64 Gnome Live-DVD runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.

Mageia-6-x86_64-DVD.iso
md5sum: 55e20da532496124e6e720896fdf9fe4
date: 7/15/17
M6 x86_64 CI installed and then updated ( 332 files ).

Hardware used:

Intel Core i5-4460 Haswell Quad-Core 3.2GHz LGA 115
Gigabyte GA-B85M-D3H LGA 1150 Intel B85 chipset
Integrated Graphics Processor - Intel HD Graphics support
Audito chipset - Realtek ALC892, 7.1 channels
Corsair Vengeance 8GB ( 2 x 4GB ) 240-pin DDR3 SDRAM 1600

CC: (none) => wilcal.int

Comment 13 Thomas Andrews 2018-05-25 02:29:40 CEST
Looks like no one has had any problems with this. OKing for 64-bit.

Is there any reason why it shouldn't be pushed, so that the kmods for the new kernel can be built?

Whiteboard: (none) => MGA6-64-OK

Comment 14 Thomas Backlund 2018-05-29 19:46:19 CEST
Advisory (added to svn), validating to get new kernel kmods out

type: security
subject: Updated virtualbox packages fix security vulnerabilities
CVE:
 - CVE-2018-0739
 - CVE-2018-2830
 - CVE-2018-2831
 - CVE-2018-2835
 - CVE-2018-2836
 - CVE-2018-2837
 - CVE-2018-2842
 - CVE-2018-2843
 - CVE-2018-2844
 - CVE-2018-2845
 - CVE-2018-2860
src:
  6:
   core:
     - virtualbox-5.2.12-1.mga6
     - kmod-virtualbox-5.2.12-1.mga6
     - kmod-vboxadditions-5.2.12-1.mga6
description: |
  This update provides virtualbox 5.2.12 and fixes the following security
  issues:

  Unauthorized remote attacker may have caused a hang or frequently
  repeatable crash (complete DOS) (CVE-2018-0739).

  Attacker with host login may have compromised Virtualbox or further system
  services after interaction with a third user (CVE-2018-2830).

  Attacker with host login may have compromised VirtualBox or further system
  services, allowing read access to some data (CVE-2018-2831).

  Attacker with host login may have gained control over VirtualBox and
  possibly further system services after interacting with a third user
  (CVE-2018-2835, CVE-2018-2836, CVE-2018-2837, CVE-2018-2842,
  CVE-2018-2843, CVE-2018-2844).

  Attacker with host login may have caused a hang or frequently repeatable
  crash (complete DOS), and perform unauthorized read and write operation
  to some VirtualBox accessible data (CVE-2018-2845).

  Privileged attacker may have gained control over VirtualBox and possibly
  further system services (CVE-2018-2860).

  For other fixes in this update, see the referenced changelog 
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22930
 - https://www.virtualbox.org/wiki/Changelog
 - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 15 Mageia Robot 2018-05-29 21:42:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0257.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.