Bug 30657 - virtualbox new security issues CVE-2022-21554 and CVE-2022-21571
Summary: virtualbox new security issues CVE-2022-21554 and CVE-2022-21571
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK, MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-20 15:42 CEST by David Walser
Modified: 2022-07-25 11:51 CEST (History)
6 users (show)

See Also:
Source RPM: virtualbox-6.1.34-10.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-07-20 15:42:38 CEST
The July 2022 Oracle CPU lists security issues fixed in VirtualBox 6.1.36:
https://www.oracle.com/security-alerts/cpujul2022.html#AppendixOVIR

6.1.36 also fixes several other bugs:
https://www.virtualbox.org/wiki/Changelog-6.1#v36
David Walser 2022-07-20 15:42:50 CEST

Status comment: (none) => Fixed upstream in 6.1.36
Whiteboard: (none) => MGA8TOO

Comment 1 Thomas Backlund 2022-07-21 09:35:03 CEST

SRPMS:
virtualbox-6.1.36-1.mga8.src.rpm
kmod-virtualbox-6.1.36-1.mga8.src.rpm


i586:
virtualbox-6.1.36-1.mga8.i586.rpm
virtualbox-guest-additions-6.1.36-1.mga8.i586.rpm


x86_64:
dkms-virtualbox-6.1.36-1.mga8.x86_64.rpm
python-virtualbox-6.1.36-1.mga8.x86_64.rpm
virtualbox-6.1.36-1.mga8.x86_64.rpm
virtualbox-devel-6.1.36-1.mga8.x86_64.rpm
virtualbox-guest-additions-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-5.15.55-desktop-2.mga8-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-5.15.55-server-2.mga8-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-server-latest-6.1.36-1.mga8.x86_64.rpm






And for those using backports kernels, there are kmods:


SRPMS:
kmod-virtualbox-6.1.36-2.mga8.src.rpm


x86_64:
dkms-virtualbox-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-5.18.12-desktop-1.mga8-6.1.36-2.mga8.x86_64.rpm
virtualbox-kernel-5.18.12-server-1.mga8-6.1.36-2.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.36-2.mga8.x86_64.rpm
virtualbox-kernel-server-latest-6.1.36-2.mga8.x86_64.rpm

Version: Cauldron => 8
Assignee: tmb => qa-bugs
Whiteboard: MGA8TOO => (none)

David Walser 2022-07-21 14:53:58 CEST

Status comment: Fixed upstream in 6.1.36 => (none)

David Walser 2022-07-21 14:54:38 CEST

CC: (none) => tmb

Comment 2 Otto Leipälä 2022-07-21 15:51:21 CEST
Seems to working ok with my Debian Sid guest system kernel 5.18.

CC: (none) => ottoleipala1

Comment 3 Morgan Leijström 2022-07-21 16:01:47 CEST
OK at my usual test/workstation; nvidia-current, Plasma
Testing with backport kernel 5.18.12-desktop-1.mga8

Hardware:  My workstation "svarten": Mainboard: Sabertooth P67, CPU: i7-3770, RAM 16G, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.

  Updated VirtualBox packages:
virtualbox-6.1.36-1.mga8.x86_64.rpm
dkms-virtualbox-6.1.36-1.mga8.x86_64.rpm
virtualbox-kernel-5.18.12-desktop-1.mga8-6.1.36-2.mga8.x86_64.rpm
virtualbox-kernel-desktop-latest-6.1.36-2.mga8.x86_64.rpm

rebooted

dkms status is OK

Fetched extpack manyally and installed it
$ sudo VBoxManage extpack install --replace Oracle_VM_VirtualBox_Extension_Pack-6.1.36a-152435.vbox-extpack

___Performed the tests I use to:

Guest 1: MSW7pro 64 bit:
  In the guest VirtualBox window menu: Devices > insert guest extension disk, let it fetch and insert in drive. Opened that disk and launched VBoxWindowsAdditions.exe, and rebooted.
  Dynamically resizing guest window by mouse
  Shared clipboard, bidirectional
  Shared folders bidirectional read/write copying, and readonly works correctly.
  Drag a file from host Dolphin to guest Explorer
  USB2: compactflash adapter with card, and Conitec Galep-5 chip programmer
  Sound, Internet, performance: playing video in Firefox
  Windows update (antivirus definitions)

Guest 2: BOINC LHC@home "ATLAS simulation 2.00" VirtualBox 64 bit VM @5CPU
  Works.

CC: (none) => fri

Comment 4 Dave Hodgins 2022-07-21 19:15:34 CEST
No regressions noticed with m8 i586 and x86_64 guests on a x86_64 host.

CC: (none) => davidwhodgins

Comment 5 Morgan Leijström 2022-07-21 22:10:48 CEST
OK also with kernel 5.15.55-desktop-2.mga8, same system;

 Since Comment 3:

1) $ sudo urpmi virtualbox-kernel-5.15.55-desktop-2.mga8-6.1.36-1.mga8

2) reboot with kernel 5.15.55 (installed and tested days earlier)

3) Performed all tests again (except windows update)
Comment 6 Thomas Andrews 2022-07-24 21:38:39 CEST
Working OK on my Probook 6550b, with a Windows 7 guest. Win7 guest additions seemed much more elaborate than usual, and took a long time to install, but were eventually successful.

CC: (none) => andrewsfarm

Thomas Backlund 2022-07-25 10:49:05 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK, MGA8-32-OK

Comment 7 Mageia Robot 2022-07-25 11:51:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0265.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.