Bug 33754 - virtualbox new security issues CVE-2024-21259, CVE-2024-21263, CVE-2024-21273, CVE-2024-21248, CVE-2024-21253
Summary: virtualbox new security issues CVE-2024-21259, CVE-2024-21263, CVE-2024-21273...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-12 09:43 CET by Nicolas Salguero
Modified: 2025-01-04 22:10 CET (History)
5 users (show)

See Also:
Source RPM: virtualbox-7.0.20-1.mga9.src.rpm, kmod-virtualbox-7.0.20-51.mga9.src.rpm
CVE: CVE-2024-21259, CVE-2024-21263, CVE-2024-21273, CVE-2024-21248, CVE-2024-21253
Status comment: Fixed upstream in 7.0.22

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-12 09:43:25 CET 
Those CVEs were announced here:
https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixOVIR

There are fixed in 7.0.22:
https://www.virtualbox.org/wiki/Changelog-7.0#v22

Mageia 9 is also affected.
Nicolas Salguero 2024-11-12 09:46:23 CET

CVE: (none) => CVE-2024-21259, CVE-2024-21263, CVE-2024-21273, CVE-2024-21248, CVE-2024-21253
Source RPM: (none) => virtualbox-7.0.20-1.mga9.src.rpm, kmod-virtualbox-7.0.20-51.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 7.0.22

Comment 1 Lewis Smith 2024-11-12 20:49:00 CET 
Assigning to kernel, which normally includes VB.
CC'ing Giuseppe because the kernel mailList apparently is not working.

Assignee: bugsquad => kernel
CC: (none) => ghibomgx

Comment 2 Giuseppe Ghibò 2024-12-26 19:26:28 CET 
virtualbox-7.0.22-1.mga9 and dkms-virtualbox-7.0.22-1.mga9 are in core/updates_testing.
Comment 3 Morgan Leijström 2024-12-27 13:48:13 CET 
I see it built for mga10 too.
Assuming ready for QA.

Whiteboard: MGA9TOO => (none)
CC: (none) => fri
Version: Cauldron => 9
Assignee: kernel => qa-bugs

Comment 4 Morgan Leijström 2024-12-28 21:17:37 CET 
OK here 

Running on kernel 6.6.65-desktop-1
Ran tests with both dkms built kmod only, and with virtualbox-kernel package.

TEST Running MSW 7 64 bit guest: 
On first launch it detected it needed new guest addition - I let it download & update.
Windows update found security updates, I let it update, and rebooted.
Tested dynamic window resizing, USB 2 flash disk, host folder sharing write protected and not, bidirectional clipboard, drag file from Dolphin to Explorer, Internet video in Firefox.

morgan@svarten ~]$ inxi -SMCG
System:
  Host: svarten.tribun Kernel: 6.6.65-desktop-2.mga9 arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: quad core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 3213 min/max: 1200/2934 cores: 1: 3213 2: 3213 3: 3213
    4: 3213 5: 3213 6: 3213 7: 3213 8: 3213
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: amdgpu v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6 vendor: amd mesa v: 24.2.8 renderer: AMD Radeon RX
    6400 (radeonsi navi24 LLVM 15.0.6 DRM 3.54 6.6.65-desktop-2.mga9)
Comment 5 Brian Rockwell 2024-12-29 00:05:38 CET 
MGA9-64, Plasma, AMD Ryzen 5 2600, GeForce GTX 1650 SUPER

The following 8 packages are going to be installed:

- dkms-virtualbox-7.0.22-1.mga9.x86_64
- lib64qt5help5-5.15.7-2.mga9.x86_64
- lib64tpms0-0.9.6-1.mga9.x86_64
- virtualbox-7.0.22-1.mga9.x86_64
- virtualbox-guest-additions-7.0.22-1.mga9.x86_64
- virtualbox-kernel-6.6.65-desktop-2.mga9-7.0.22-62.mga9.x86_64
- virtualbox-kernel-desktop-latest-7.0.22-62.mga9.x86_64
- x11-driver-video-vboxvideo-1.0.0-9.mga9.x86_64

- rebooted

$ uname -a
Linux localhost.localdomain 6.6.65-desktop-2.mga9 #1 SMP PREEMPT_DYNAMIC Thu Dec 12 12:42:26 UTC 2024 x86_64 GNU/Linux


So new install of Virtualbox since rebuild of the OS on this box.

- imported a vbox backup - that worked
- able to load and run the VM
- created a new VM image of Manjaro that worked
- set up extensions 7.0.22 that worked from Oracle website
- able to RDP into the VM.

Working from my perspective.

CC: (none) => brtians1

Comment 6 Thomas Andrews 2025-01-01 23:38:11 CET 
MGA9-64 Plasma.


To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  virtualbox                     7.0.22       1.mga9        x86_64  
  virtualbox-kernel-6.6.65-desk> 7.0.22       62.mga9       x86_64  
  virtualbox-kernel-desktop-lat> 7.0.22       62.mga9       x86_64  
227KB of additional disk space will be used.

No installation issues. Ran a Windows 7 guest, updated guest additions with no issues. Also ran a Mageia 9 guest, got updates, no issues there, either.

CC: (none) => andrewsfarm

Brian Rockwell 2025-01-03 21:59:58 CET

Whiteboard: (none) => MGA9-64-OK

Comment 7 Thomas Andrews 2025-01-04 18:17:12 CET 
Another test, this time on an HP Pavilion 15, using a Windows 7 guest that hadn't been run in a while. The guest ran OK, but this time I had to download the guest additions iso and install it manually. That worked OK.

Then I decided to install my two network printers. There were some snags along the way, and it seemed to take FOREVER (compared to Mageia), but I was eventually successful. I'm sure the issues I had were not caused by VirtualBox, but are simply the nature of Windows 7.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2025-01-04 19:12:49 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2025-01-04 22:10:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0002.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.