Bug 29566 - Update request: virtualbox-6.1.28-1.mga8
Summary: Update request: virtualbox-6.1.28-1.mga8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 29571 29573
  Show dependency treegraph
 
Reported: 2021-10-19 23:46 CEST by Thomas Backlund
Modified: 2021-10-23 19:49 CEST (History)
5 users (show)

See Also:
Source RPM: virtualbox
CVE:
Status comment:


Attachments

Description Thomas Backlund 2021-10-19 23:46:55 CEST
Virtualbox 6.1.28 maintenance release

bugfixes:
https://www.virtualbox.org/wiki/Changelog-6.1#v28

security fixes:
https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixOVIR



SRPMS:
virtualbox-6.1.28-1.mga8.src.rpm
kmod-virtualbox-6.1.28-1.mga8.src.rpm



i586:
virtualbox-6.1.28-1.mga8.i586.rpm
virtualbox-guest-additions-6.1.28-1.mga8.i586.rpm



x86_64:
dkms-virtualbox-6.1.28-1.mga8.x86_64.rpm
python-virtualbox-6.1.28-1.mga8.x86_64.rpm
virtualbox-6.1.28-1.mga8.x86_64.rpm
virtualbox-devel-6.1.28-1.mga8.x86_64.rpm
virtualbox-guest-additions-6.1.28-1.mga8.x86_64.rpm

virtualbox-kernel-5.10.70-desktop-1.mga8-6.1.28-1.mga8.x86_64.rpm
virtualbox-kernel-5.10.70-server-1.mga8-6.1.28-1.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.28-1.mga8.x86_64.rpm
virtualbox-kernel-server-latest-6.1.28-1.mga8.x86_64.rpm
Thomas Backlund 2021-10-20 21:19:09 CEST

Blocks: (none) => 29571

Thomas Backlund 2021-10-20 21:19:39 CEST

Blocks: (none) => 29573

Comment 1 Dave Hodgins 2021-10-20 22:27:48 CEST
No regressions noticed on either of my vb installs or in the i586 and x86_64
guests.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2021-10-20 22:46:51 CEST
Forgot to mention in comment 1, I installed the updated extension pack on both
host systems.

Also no regressions after updating to kernel 5.10.70 on either system.

Oking the update.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Dave Hodgins 2021-10-20 23:10:36 CEST
Typo there. Updated to kernel 5.10.75

On both systems, tested with the vb update alone, then installed the kernel
update (dkms for the vb module) on the host and tested again, then installed
the kernel update in the guests and rebooted those.
Comment 4 Morgan Leijström 2021-10-21 13:57:22 CEST
My usual test/workstation, kernel 5.10.70, nvidia-current, plasma

As usual I hit Bug 18962 - VirtualBox GUI Manager fails to install extension pack (have workarounds), so I used command line for the upstream extpack.

The guest system is MSW7pro 64 bit. At its desktop it correctly pops up message about Guest Additions need update, i let it fetch, register, and run that .iso file.  Twice the windows installer warn it is an unknown vendor. A new normal i guess on Windows7.  I let guest reboot.

Then performed same tests as I use to:
  Dynamically resizing guest window by mouse
  Shared clipboard, bidirectional
  Shared folders bidirectional read/write copying, and readonly works correctly.
  Drag a file from host Dolphin to guest Explorer
  USB2: flash stick
  Sound, Internet, performance: playing video in Firefox

CC: (none) => fri

Comment 5 Thomas Andrews 2021-10-21 15:57:25 CEST
You beat me to it, Morgan. 

I tested a Windows 7 Pro guest as well, and saw the same two warnings. It seemed to take an unusually long time to install the guest additions, but I had not booted this guest in some time, and I believe other updates were being installed. Anti-malware, I suspect, but as it didn't tell me what was happening the way Mageia does I really have no idea. (Like most Windows users)

In the end, all seemed to go well. Will try it with the 5.14.10 kernel this evening.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2021-10-22 01:25:50 CEST
The hardware from Comment 5 has two M8-64 Plasma installs. The second one has kernel-desktop 5.14.10 installed. VirtualBox was not installed before this test, so I installed it. I didn't find any pre-built kmods for this kernel, so I used dkms to build them locally. No installation issues.

Used qarepo to get the updates, and again there were no installation issues. Rebooted, to make sure the new locally-built module was properly installed. Installed the extension pack I had downloaded for the Comment 5 test, then told Vbox to import the Win7 guest. No issues with the import, and the Windows guest booted successfully.

Looks like the Vbox upgrade is OK with the 5.14.10 kernel.
Comment 7 Thomas Andrews 2021-10-22 15:05:19 CEST
Well now, that's a new one.

I ran a Mageia 8 guest in this virtuaBox update on my Probook 6550b laptop's Plasma host, and when I did I got an icon in the host's systray telling me that Vbox was accessing the microphone. This might be OK, except that to my knowledge there is no microphone on this laptop for it to access!

I didn't have the time to dig into this any deeper, to check settings and that sort of thing. But I find it strange that this would pop up, as I don't recall ever seeing it before.
Comment 8 Thomas Andrews 2021-10-22 18:55:56 CEST
It seems I was wrong about that internal microphone. Probook 6550b models with a webcam have two internal microphones, for stereo recording, while those like mine, without a webcam, have only one. I had forgotten this. Having disabled the internal microphone in the BIOS when I bought the laptop 5 years ago, it never crossed my mind again - until now. 

But I just checked the BIOS settings, and it is STILL shown as disabled there. So, even if it is there physically, it shouldn't be available - or should it? 

I will have to look into this further, then probably open a new bug on it. My guess is that this is not a Vbox issue, though I would think there ought to be a setting somewhere specifically concerning Vbox and the system microphone.
Comment 9 Morgan Leijström 2021-10-22 19:04:40 CEST
Maybe disabled = hardware muted, but present.
Comment 10 Thomas Andrews 2021-10-22 20:29:15 CEST
I suppose that's possible, but in the Vbox settings for the M8 guest, "enable audio input" (the equivalent to a BIOS microphone setting?) is unchecked, but pulseaudio seems to be using it, anyway. A serious security problem, IMO.
Comment 11 Morgan Leijström 2021-10-22 20:35:15 CEST
Could be. Depending on if it gets muted or not.
Regardless, that must be an upstream issue.
Comment 12 Thomas Andrews 2021-10-22 21:15:09 CEST
If I check "enable audio input" for my Win7 guest, I still don't see that Vbox is accessing the microphone. So I think the problem is in pulseaudio and it may be more cosmetic than an actual security risk. Taking this to another bug...
Comment 13 William Kenney 2021-10-22 22:17:14 CEST
On real hardware, M8, Plasma, 64-bit

Package(s) under test:
virtualbox

M8 i586   Xfce   upating works just fine as a Vbox client
M8 x86_64 Plasma upating works just fine as a Vbox client

clear
uname -a
urpmi dkms-virtualbox
urpmi virtualbox
urpmi virtualbox-guest-additions
urpmi x11-driver-video-vboxvideo
urpmi kernel-desktop-devel-latest
urpmi virtualbox-kernel-desktop-latest

Linux localhost 5.10.70-desktop-1.mga8 #1 SMP Thu Sep 30 09:41:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Package dkms-virtualbox-6.1.26-1.mga8.x86_64 is already installed
Package virtualbox-6.1.26-1.mga8.x86_64 is already installed
Package virtualbox-guest-additions-6.1.26-1.mga8.x86_64 is already installed
Package x11-driver-video-vboxvideo-1.0.0-6.mga8.x86_64 is already installed
Package kernel-desktop-devel-latest-5.10.70-1.mga8.x86_64 is already installed
Package virtualbox-kernel-desktop-latest-6.1.26-1.6.mga8.x86_64 is already installed

install from updates testing:

dkms-virtualbox virtualbox virtualbox-guest-additions
x11-driver-video-vboxvideo kernel-desktop-devel-latest virtualbox-kernel-desktop-latest

The following 7 packages are going to be installed:

- dkms-virtualbox-6.1.28-1.mga8.x86_64
- kernel-desktop-devel-5.10.75-1.mga8-1-1.mga8.x86_64
- kernel-desktop-devel-latest-5.10.75-1.mga8.x86_64
- virtualbox-6.1.28-1.mga8.x86_64
- virtualbox-guest-additions-6.1.28-1.mga8.x86_64
- virtualbox-kernel-5.10.70-desktop-1.mga8-6.1.28-1.mga8.x86_64
- virtualbox-kernel-desktop-latest-6.1.28-1.mga8.x86_64

checking update:

Linux localhost 5.10.70-desktop-1.mga8 #1 SMP Thu Sep 30 09:41:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Package dkms-virtualbox-6.1.28-1.mga8.x86_64 is already installed
Package virtualbox-6.1.28-1.mga8.x86_64 is already installed
Package virtualbox-guest-additions-6.1.28-1.mga8.x86_64 is already installed
Package x11-driver-video-vboxvideo-1.0.0-6.mga8.x86_64 is already installed
Package kernel-desktop-devel-latest-5.10.75-1.mga8.x86_64 is already installed
Package virtualbox-kernel-desktop-latest-6.1.28-1.mga8.x86_64 is already installed

M8 i586   Xfce   upating works just fine as a Vbox client ( glibc updated )
M8 x86_64 Plasma upating works just fine as a Vbox client ( glibc updated

CC: (none) => wilcal.int

Thomas Backlund 2021-10-23 19:21:00 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2021-10-23 19:49:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0488.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.