Bug 30302 - Update request: virtualbox-6.1.34-1.2.mga8
Summary: Update request: virtualbox-6.1.34-1.2.mga8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK, MGA8-32-OK
Keywords: advisory, validated_update
: 30313 (view as bug list)
Depends on:
Blocks: 30330 30335
  Show dependency treegraph
 
Reported: 2022-04-19 23:18 CEST by Thomas Backlund
Modified: 2022-04-26 17:05 CEST (History)
6 users (show)

See Also:
Source RPM: virtualbox
CVE:
Status comment:


Attachments

Description Thomas Backlund 2022-04-19 23:18:38 CEST
Security and bugfixes, advisory will follow:

ref:
https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixOVIR
https://www.virtualbox.org/wiki/Changelog-6.1#v34


SRPMS:
virtualbox-6.1.34-1.mga8.src.rpm
kmod-virtualbox-6.1.34-1.mga8.src.rpm


i586:
virtualbox-6.1.34-1.mga8.i586.rpm
virtualbox-guest-additions-6.1.34-1.mga8.i586.rpm


x86_64:
dkms-virtualbox-6.1.34-1.mga8.x86_64.rpm
python-virtualbox-6.1.34-1.mga8.x86_64.rpm
virtualbox-6.1.34-1.mga8.x86_64.rpm
virtualbox-devel-6.1.34-1.mga8.x86_64.rpm
virtualbox-guest-additions-6.1.34-1.mga8.x86_64.rpm

virtualbox-kernel-5.15.32-desktop-1.mga8-6.1.34-1.mga8.x86_64.rpm
virtualbox-kernel-5.15.32-server-1.mga8-6.1.34-1.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.34-1.mga8.x86_64.rpm
virtualbox-kernel-server-latest-6.1.34-1.mga8.x86_64.rpm
Comment 1 Dave Hodgins 2022-04-20 00:26:43 CEST
I've installed the extpack update as well as the vb update, but am getting
the error ...
Failed to load R0 module /usr/lib64/virtualbox/VBoxDDR0.r0: Unable to locate imported symbol 'memset' for module 'VBoxDDR0.r0' (VERR_SYMBOL_NOT_FOUND).
Failed to load ring-0 module 'VBoxDDR0.r0' for device 'pci' (VERR_SYMBOL_NOT_FOUND).

[dave@x3 ~]$ VBoxManage list extpacks
Extension Packs: 2
Pack no. 0:   Oracle VBoxDTrace Extension Pack
Version:      6.1.34
Revision:     150636
Edition:      
Description:  Experimental and unsupported extension pack providing DTrace features to VirtualBox.
VRDE Module:  
Usable:       true 
Why unusable: 

Pack no. 1:   Oracle VM VirtualBox Extension Pack
Version:      6.1.34
Revision:     150636
Edition:      
Description:  Oracle Cloud Infrastructure integration, USB 2.0 and USB 3.0 Host Controller, Host Webcam, VirtualBox RDP, PXE ROM, Disk Encryption, NVMe.
VRDE Module:  VBoxVRDP
Usable:       true 
Why unusable: 
[dave@x3 ~]$ VBoxManage --version
6.1.34_Mageiar150636

[dave@x3 ~]$ dkms status|grep virt
virtualbox, 6.1.34-1.mga8, 5.15.34-server-1.mga8, x86_64: installed 
virtualbox, 6.1.34-1.mga8, 5.15.32-server-1.mga8, x86_64: installed-binary from 5.15.32-server-1.mga8

Anybody managed to get it to work?

CC: (none) => davidwhodgins

Comment 2 Morgan Leijström 2022-04-20 09:14:03 CEST
Same problem here, when I try to launch my MSW7n guest.

And yes after manual extension pack update, and reboot just to be sure.
Also the BOINC virtualbox workunit failed (i did not try to catch any log)

Extpacks list same as Dave.

$ dkms status|grep virt
virtualbox, 6.1.34-1.mga8, 5.15.32-desktop-1.mga8, x86_64: installed-binary from 5.15.32-desktop-1.mga8
virtualbox, 6.1.32-1.mga8, 5.16.18-desktop-1.mga8, x86_64: installed-binary from 5.16.18-desktop-1.mga8

Tested on kernel 5.15.32-desktop-1.mga8

Assignee: qa-bugs => kernel
CC: (none) => fri

Comment 3 Morgan Leijström 2022-04-20 09:37:55 CEST
I did not have dkms-virtualbox installed, and I don't know when it is needed?
(should get clarified at https://wiki.mageia.org/en/VirtualBox#On_the_host)

Installed it, rebooted, no change, except in output o f$ dkms status|grep virt:
virtualbox, 6.1.34-1.mga8, 5.16.18-desktop-1.mga8, x86_64: installed 
virtualbox, 6.1.34-1.mga8, 5.15.32-desktop-1.mga8, x86_64: installed-binary from 5.15.32-desktop-1.mga8
virtualbox, 6.1.32-1.mga8, 5.16.18-desktop-1.mga8, x86_64: installed-binary from 5.16.18-desktop-1.mga8

Same fail on 5.16.18-desktop-1.mga8
Comment 4 Dave Hodgins 2022-04-20 18:40:20 CEST
*** Bug 30313 has been marked as a duplicate of this bug. ***

CC: (none) => chmos

Comment 5 Dave Hodgins 2022-04-21 19:23:24 CEST
(In reply to Morgan Leijström from comment #3)
> I did not have dkms-virtualbox installed, and I don't know when it is needed?
> (should get clarified at https://wiki.mageia.org/en/VirtualBox#On_the_host)

https://wiki.mageia.org/en/VirtualBox#On_the_host updated.
Comment 6 Thomas Backlund 2022-04-21 20:42:02 CEST
fix found, new packages coming
Comment 7 Thomas Backlund 2022-04-21 21:47:23 CEST
new set:

SRPMS:
virtualbox-6.1.34-1.2.mga8.src.rpm
kmod-virtualbox-6.1.34-1.2.mga8.src.rpm


i586:
virtualbox-6.1.34-1.2.mga8.i586.rpm
virtualbox-guest-additions-6.1.34-1.2.mga8.i586.rpm


x86_64:
dkms-virtualbox-6.1.34-1.2.mga8.x86_64.rpm
python-virtualbox-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-devel-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-guest-additions-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-kernel-5.15.32-desktop-1.mga8-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-kernel-5.15.32-server-1.mga8-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.34-1.2.mga8.x86_64.rpm
virtualbox-kernel-server-latest-6.1.34-1.2.mga8.x86_64.rpm

Summary: Update request: virtualbox-6.1.34-1.mga8 => Update request: virtualbox-6.1.34-1.2.mga8
Assignee: kernel => qa-bugs

Comment 8 Morgan Leijström 2022-04-22 14:02:10 CEST
Great Thomas

Dave, thank you for the wiki edit

---

Host: mga8-64, Plasma
Hardware: My workstation "svarten": Mainboard: Sabertooth P67, CPU: i7-3770, RAM 16G, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.

Updated, rebooted, I noticed dkms built during boot.
Running backport kernel 5.16.18-desktop-1

[morgan@svarten ~]$ dkms status
virtualbox, 6.1.34-1.2.mga8, 5.15.32-desktop-1.mga8, x86_64: installed 
virtualbox, 6.1.34-1.2.mga8, 5.16.18-desktop-1.mga8, x86_64: installed 
nvidia-current, 470.94-1.mga8.nonfree, 5.15.32-desktop-1.mga8, x86_64: installed 
nvidia-current, 470.94-1.mga8.nonfree, 5.16.18-desktop-1.mga8, x86_64: installed 
virtualbox, 6.1.34-1.2.mga8, 5.15.32-desktop-1.mga8, x86_64: installed-binary from 5.15.32-desktop-1.mga8
virtualbox, 6.1.32-1.mga8, 5.16.18-desktop-1.mga8, x86_64: installed-binary from 5.16.18-desktop-1.mga8


Guest 1: my usual MSW7pro-64, tests OK: dynamic guest window resizing, bidirectional clipboard, host shared folders write protected and not, USB2 memory stick read&write (using upstream extension pack), video playing in Firefox and Chrome.

Minor not working: earlier I could use mouse to drag file from host Dolphin to Guest Windows Explorer, but now that silently fail despite mouse cursor is showing a green plus sign.  I think that failed also on previous version. Maybe new security?  The reverse direction have never worked. In the VirtualBox guest window menu Devices>Drag&Drop, bidirectional is set.  If i set no drag&drop, mouse cursor is a red blocked sign when i try, so that setting do make visual GUI difference, but operation is blocked.

Guest 2: OK: BOINC LHC@home ATLAS simulation virtual machine 7CPU.
Comment 9 Thomas Backlund 2022-04-23 14:35:42 CEST
Advisory, added to svn:


subject: Updated virtualbox packages fix security vulnerabilities
CVE:
 - CVE-2022-21465
 - CVE-2022-21471
 - CVE-2022-21487
 - CVE-2022-21488
src:
  8:
   core:
     - virtualbox-6.1.34-1.2.mga8
     - kmod-virtualbox-6.1.34-1.2.mga8
description: |
  Updated virtualbox packages fix security vulnerabilities:

  Vulnerability in the Oracle VM VirtualBox prior to 6.1.34 contains an
  easily exploitable vulnerability that allows a high privileged attacker
  with logon to the infrastructure where Oracle VM VirtualBox executes to
  compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
  VirtualBox, attacks may significantly impact additional products (scope
  change). Successful attacks of this vulnerability can result in
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,
  insert or delete access to some of Oracle VM VirtualBox accessible data
  (CVE-2022-21465).

  Vulnerability in the Oracle VM VirtualBox prior to 6.1.34 contains an
  easily exploitable vulnerability that allows a low privileged attacker
  with logon to the infrastructure where Oracle VM VirtualBox executes to
  compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
  VirtualBox, attacks may significantly impact additional products (scope
  change). Successful attacks of this vulnerability can result in
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of Oracle VM VirtualBox (CVE-2022-21471).

  Vulnerability in the Oracle VM VirtualBox prior to 6.1.34 contains an 
  easily exploitable vulnerability that allows a low privileged attacker
  with logon to the infrastructure where Oracle VM VirtualBox executes to
  compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
  VirtualBox, attacks may significantly impact additional products (scope
  change). Successful attacks of this vulnerability can result in
  unauthorized read access to a subset of Oracle VM VirtualBox accessible
  data (CVE-2022-21487).

  Vulnerability in the Oracle VM VirtualBox prior to 6.1.34 contains an
  easily exploitable vulnerability that allows a low privileged attacker
  with logon to the infrastructure where Oracle VM VirtualBox executes to
  compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM
  VirtualBox, attacks may significantly impact additional products (scope
  change). Successful attacks of this vulnerability can result in
  unauthorized update, insert or delete access to some of Oracle VM
  VirtualBox accessible data (CVE-2022-21488).

  For other fixes in this update, see the referenced changelog.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30302
 - https://www.virtualbox.org/wiki/Changelog-6.1#v34
 - https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixOVIR

Keywords: (none) => advisory

Thomas Backlund 2022-04-23 16:02:36 CEST

Blocks: (none) => 30330

Comment 10 Dave Hodgins 2022-04-23 18:09:02 CEST
No regressions noticed with i586 and x86_64 Mageia guests.
Tested on a host with kernel 5.15.35-server-2.mga8 running.
Installed the kernel update in both guests with no regressions noticed.
Comment 11 Morgan Leijström 2022-04-23 18:18:28 CEST
Quick test OK 5.15.32-desktop-1.mga8 same host and Windows guest.
Comment 12 Thomas Andrews 2022-04-23 19:01:53 CEST
No regressions noted with Windows XP and Windows 7 guests. 

Lately I have been noticing a problem within Mageia guests where when you run MCC the opening screen comes up blank. Clicking on the window redraws it correctly, and it acts normally from then on. I'm only seeing this in Mageia guests, never on real hardware. This persists after VirtualBox and guest additions are updated, so I believe another update not related (exactly) to VirtualBox is at fault.

I will investigate a bit further, and open a new bug on the issue when I know more. Since the issue is relatively minor and existed already it is not a new regression, and I don't believe it should hold back this update.

CC: (none) => andrewsfarm

Comment 13 Morgan Leijström 2022-04-23 19:11:40 CEST
mga8-64 OK with kernel OK 5.15.32-desktop-2.mga8 bug 30330, tests per comment 8.

(In reply to Morgan Leijström from comment #8)
> Minor not working: earlier I could use mouse to drag file from host Dolphin
> to Guest Windows Explorer, but now that silently fail despite mouse cursor
> is showing a green plus sign.

Now, while testing kernel 5.15.32-desktop-2.mga8, I see the above file dragging operation is working OK again  :)
(I did not test this detail with 5.15.32-desktop-1)
Comment 14 Morgan Leijström 2022-04-23 20:07:28 CEST
Doh, in previous comment I meant kernel desktop 5.15.*35*-2 of course...

(In reply to Thomas Andrews from comment #12)
> Lately I have been noticing a problem within Mageia guests where when you
> run MCC the opening screen comes up blank. Clicking on the window redraws it
> correctly

Yes open a separate bug on that. 

I do not see that problem on my little used guest mga8 LXDE, on same host as other tests here.  Mageia guest additions.  Neither before, with all from updates repo per today, or with virtualbox and kernel from testing in host and guest.
Comment 15 Thomas Andrews 2022-04-24 00:44:47 CEST
Definitely needs a separate bug. I'm seeing it now on my real i586 hardware in Xfce. And there, it's worse.
Comment 16 Guillaume Royer 2022-04-24 14:09:37 CEST
MGA 64 XFCE

No issues at installation.
Bug with creating virtual host is still here:

VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: Permission denied.

Code d'erreur : 
NS_ERROR_FAILURE (0x80004005)
Composant : 
HostNetworkInterfaceWrap
Interface : 
IHostNetworkInterface {455f8c45-44a0-a470-ba20-27890b96dba9}

Otherwise the rest works, the virtual machine launches well and works well with a PrimTux distribution

CC: (none) => guillaume.royer

Comment 17 Dave Hodgins 2022-04-24 17:56:56 CEST
(In reply to Guillaume Royer from comment #16)
> MGA 64 XFCE
> 
> No issues at installation.
> Bug with creating virtual host is still here:
> 
> VBoxNetAdpCtl: Error while adding new interface: failed to open
> /dev/vboxnetctl: Permission denied.
Did you install the updated extension pack, available from
https://download.virtualbox.org/virtualbox/6.1.34/Oracle_VM_VirtualBox_Extension_Pack-6.1.34.vbox-extpack

Note, Mageia is not allowed to distribute it. It must be downloaded from
Oracle, with each new vb version, and manually installed.
Comment 18 Guillaume Royer 2022-04-24 18:53:19 CEST
(In reply to Dave Hodgins from comment #17)
> (In reply to Guillaume Royer from comment #16)
> > MGA 64 XFCE
> > 
> > No issues at installation.
> > Bug with creating virtual host is still here:
> > 
> > VBoxNetAdpCtl: Error while adding new interface: failed to open
> > /dev/vboxnetctl: Permission denied.
> Did you install the updated extension pack, available from
> https://download.virtualbox.org/virtualbox/6.1.34/
> Oracle_VM_VirtualBox_Extension_Pack-6.1.34.vbox-extpack
> 
> Note, Mageia is not allowed to distribute it. It must be downloaded from
> Oracle, with each new vb version, and manually installed.

Thank you for this tip but this isn't solve the problem
Thomas Backlund 2022-04-24 20:42:46 CEST

Blocks: (none) => 30335

Comment 19 Morgan Leijström 2022-04-25 14:22:29 CEST
Same tests OK with Bug 30335 - Backport request: kernel-5.17.4-2.mga8
Comment 20 Thomas Andrews 2022-04-26 14:21:26 CEST
(In reply to Guillaume Royer from comment #16)
> MGA 64 XFCE
> 
> No issues at installation.
> Bug with creating virtual host is still here:
> 
> VBoxNetAdpCtl: Error while adding new interface: failed to open
> /dev/vboxnetctl: Permission denied.
> 
I haven't tried using a host-only adapter interface, so I haven't run into this problem. I use the NAT interface.

However, I did look at the permissions for the /dev/vboxnetctl on my laptop (not yet testing this update), and I found that it is root-only access. I actually had expected it to have vboxusers group access, after which I was going to ask if you had made sure your host user is a member of that group. But even the group (root) doesn't have access.

Could it be that you have to run Vbox as root to create this interface on Mageia? The question then, of course, is if you do have to create the interface as root, would that then prevent non-root users from using that guest?
Comment 21 Thomas Backlund 2022-04-26 16:18:16 CEST
Enough tests, flushing out

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK, MGA8-32-OK

Comment 22 Mageia Robot 2022-04-26 17:05:09 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0153.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.