Bug 22930 - virtualbox new security issues CVE-2018-0739, CVE-2018-283[01567], CVE-2018-284[2-5], CVE-2018-2860
Summary: virtualbox new security issues CVE-2018-0739, CVE-2018-283[01567], CVE-2018-2...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 22657 22909
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-21 18:40 CEST by David Walser
Modified: 2018-05-19 18:53 CEST (History)
4 users (show)

See Also:
Source RPM: virtualbox-5.2.8-3.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 5.2.10


Attachments

Description David Walser 2018-04-21 18:40:29 CEST
The April 2018 Oracle CPU lists some security issues fixed in VirtualBox 5.2.10:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR

Mageia 5 and Mageia 6 are also affected (only 6 will be updated).
David Walser 2018-04-21 18:40:39 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Thomas Backlund 2018-04-22 21:09:11 CEST
Cauldron updated, 

Mga6 update will be pushed after the QT update mess is done

Depends on: (none) => 22657
Version: Cauldron => 6

Comment 2 David Walser 2018-04-24 22:48:58 CEST
openSUSE has issued an advisory for this today (April 24):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00065.html
David Walser 2018-05-04 08:29:08 CEST

Status comment: (none) => Fixed upstream in 5.2.10

Comment 3 David Walser 2018-05-12 21:49:41 CEST
5.2.12 is out:
https://www.virtualbox.org/wiki/Changelog
Comment 4 Thomas Backlund 2018-05-13 10:20:50 CEST
Rpms to test:

SRPMS:
virtualbox-5.2.12-1.mga6.src.rpm


i586:
dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm
dkms-virtualbox-5.2.12-1.mga6.noarch.rpm
python-virtualbox-5.2.12-1.mga6.i586.rpm
virtualbox-5.2.12-1.mga6.i586.rpm
virtualbox-devel-5.2.12-1.mga6.i586.rpm
virtualbox-guest-additions-5.2.12-1.mga6.i586.rpm
x11-driver-video-vboxvideo-5.2.12-1.mga6.i586.rpm



x86_64:
dkms-vboxadditions-5.2.12-1.mga6.noarch.rpm
dkms-virtualbox-5.2.12-1.mga6.noarch.rpm
python-virtualbox-5.2.12-1.mga6.x86_64.rpm
virtualbox-5.2.12-1.mga6.x86_64.rpm
virtualbox-devel-5.2.12-1.mga6.x86_64.rpm
virtualbox-guest-additions-5.2.12-1.mga6.x86_64.rpm
x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64.rpm



Prebuilt kmods will b built after kernel-4.14.40 is out

Depends on: (none) => 22909
Assignee: tmb => qa-bugs

Comment 5 Morgan Leijström 2018-05-13 23:53:36 CEST
Updated to:
- dkms-virtualbox-5.2.12-1.mga6.noarch
- virtualbox-5.2.12-1.mga6.x86_64

And also retrieved and installed the extpack per https://bugs.mageia.org/show_bug.cgi?id=18962#c27


Host: my workstation i7, kernel-desktop-4.14.40-1.mga6-1-1.mga6.x86_64, Geforce GTX750 with nvidia-current 390.48-1.mga6 with CUDA & OpenCL detected OK in BOINC, LVM on LUKS, , Plasma5.12 etc

Guest: Microsoft Windows 7 pro

Simple test: windows update works, some apps, firefox...
No audio, but i dont remember if i ever tried it before - never needed it here.

CC: (none) => fri

Comment 6 Thomas Backlund 2018-05-18 19:00:53 CEST
kmods are now built, so the added packages are:

SRPMS:
kmod-vboxadditions-5.2.12-1.mga6.src.rpm
kmod-virtualbox-5.2.12-1.mga6.src.rpm



i586:
vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm
vboxadditions-kernel-server-latest-5.2.12-1.mga6.i586.rpm

virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-4.14.40-desktop586-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-desktop586-latest-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-desktop-latest-5.2.12-1.mga6.i586.rpm
virtualbox-kernel-server-latest-5.2.12-1.mga6.i586.rpm



x86_64:
boxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm
vboxadditions-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm

virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.40-server-1.mga6-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64.rpm
virtualbox-kernel-server-latest-5.2.12-1.mga6.x86_64.rpm

CC: (none) => tmb

Thomas Backlund 2018-05-18 19:03:58 CEST

Whiteboard: MGA6TOO => (none)

Comment 7 Len Lawrence 2018-05-19 11:22:52 CEST
Mageia 6, x86_64

Installed the desktop version and found the transition seamless.  Booted three mga5 guests, one at a time and found no problems.  Installed a large package on one and recovered saved state on another.

CC: (none) => tarazed25

Comment 8 James Kerr 2018-05-19 15:33:43 CEST
on mga6-64 

packages installed cleanly:
- virtualbox-5.2.12-1.mga6.x86_64
- virtualbox-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.12-1.mga6.x86_64

vbox re-launched normally
extension pack updated cleanly


on mga6-32 client:

packages installed cleanly:
- vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.i586
- vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.i586
- virtualbox-guest-additions-5.2.12-1.mga6.i586
- x11-driver-video-vboxvideo-5.2.12-1.mga6.i586

client re-launched normally


on mga6-64 client

packages installed cleanly:
- vboxadditions-kernel-4.14.40-desktop-1.mga6-5.2.12-1.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.12-1.mga6.x86_64
- virtualbox-guest-additions-5.2.12-1.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.12-1.mga6.x86_64

client re-launched normally


winxp and win7 clients:
additions updated; re-started normally


this update looks good for mga6-64 on this system

CC: (none) => jim

Comment 9 Len Lawrence 2018-05-19 18:53:03 CEST
Installed this on Mageia 6, x86_64.
Host 4.14.40-desktop-1.mga6

Mageia vbox guests launched fine and behaved normally.  Upgraded the kernel in one vbox and rebooted without trouble.  Installed scheduled updates.

Leaving one 32-bit guest running for more longterm testing but at first look the update works fine.

Note You need to log in before you can comment on or make changes to this bug.