[Pkg-virtualbox-devel] Bug#798979: [SECURITY] [DSA 3359-1] virtualbox security update

Ritesh Raj Sarraf rrs at debian.org
Fri Sep 18 17:47:23 UTC 2015 

Adding the other bug, similar to it, against Unstable.


As mentioned earlier, it does look like we need to add a tighter
dependency in between the dkms/source package and the main virtualbox
package.


I just made the changes, built, and verified locally. And it seems to
be in line with my root cause. Ofcourse, before I'd like we push it to
Unstable first (and close 798527), and then tackle the other stable
releases. And any additional testing is going to help now.


Please see console log below. With the tighter dependency now,
virtualbox does not get picked until its {Pre}Dependency, i.e.
virtualbox-dkms is properly installed.

I have pushed the changes to the git repo, for the master branch.

@Gianfranco: I'm still on the sloppy internet network, so if you have
the bandwidth, please feel free to prepare the new upload.


rrs at chutzpah:/var/tmp/vbox$ apt-cache policy virtualbox virtualbox-dkms
virtualbox:
  Installed: 5.0.4-dfsg-2
  Candidate: 5.0.4-dfsg-2
  Version table:
     5.0.4-dfsg-3 0
        500 file:/var/tmp/vbox/  Packages
 *** 5.0.4-dfsg-2 0
        990 http://ftp.debian.org/debian/ testing/contrib amd64
Packages
        500 http://ftp.debian.org/debian/ unstable/contrib amd64
Packages
        100 /var/lib/dpkg/status
virtualbox-dkms:
  Installed: 5.0.4-dfsg-2
  Candidate: 5.0.4-dfsg-2
  Version table:
     5.0.4-dfsg-3 0
        500 file:/var/tmp/vbox/  Packages
 *** 5.0.4-dfsg-2 0
        990 http://ftp.debian.org/debian/ testing/contrib amd64
Packages
        500 http://ftp.debian.org/debian/ unstable/contrib amd64
Packages
        100 /var/lib/dpkg/status
22:56 ♒♒♒   ☺    

rrs at chutzpah:/var/tmp/vbox$ sudo aptitude install virtualbox=5.0.4-dfsg
-3 virtualbox-dkms=5.0.4-dfsg-3 virtualbox-qt=5.0.4-dfsg-3
The following packages will be upgraded: 
  virtualbox virtualbox-dkms virtualbox-qt 
3 packages upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B/21.3 MB of archives. After unpacking 12.3 kB will be
freed.
Do you want to continue? [Y/n/?] 
WARNING: untrusted versions of the following packages will be
installed!

Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.

  virtualbox virtualbox-dkms virtualbox-qt 

Do you want to ignore this warning and proceed anyway?
To continue, enter "Yes"; to abort, enter "No": Yes
Reading changelogs... Doneelogs... 33%   
(Reading database ... 332296 files and directories currently
installed.)
Preparing to unpack .../virtualbox-dkms_5.0.4-dfsg-3_all.deb ...

-------- Uninstall Beginning --------
Module:  virtualbox
Version: 5.0.4
Kernel:  4.1.7+ (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this
kernel.

vboxdrv.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxnetadp.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxnetflt.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxpci.ko:
 - Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.

depmod.......

DKMS: uninstall completed.

------------------------------
Deleting module version: 5.0.4
completely from the DKMS tree.
------------------------------
Done.
Unpacking virtualbox-dkms (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Preparing to unpack .../virtualbox-qt_5.0.4-dfsg-3_amd64.deb ...
Unpacking virtualbox-qt (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Processing triggers for hicolor-icon-theme (0.13-1) ...
Processing triggers for shared-mime-info (1.3-1) ...
Unknown media type in type 'all/all'
Unknown media type in type 'all/allfiles'
Processing triggers for mime-support (3.59) ...
Processing triggers for gnome-menus (3.13.3-6) ...
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for menu (2.1.47) ...
Processing triggers for man-db (2.7.3-1) ...
Setting up virtualbox-dkms (5.0.4-dfsg-3) ...
Loading new virtualbox-5.0.4 DKMS files...
Building only for 4.1.7+
Building initial module for 4.1.7+
Done.

vboxdrv:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxnetadp.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxnetflt.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxpci.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

depmod....

DKMS: install completed.
(Reading database ... 332296 files and directories currently
installed.)
Preparing to unpack .../virtualbox_5.0.4-dfsg-3_amd64.deb ...
Unpacking virtualbox (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Processing triggers for systemd (226-2) ...
Processing triggers for man-db (2.7.3-1) ...
Setting up virtualbox (5.0.4-dfsg-3) ...
Setting up virtualbox-qt (5.0.4-dfsg-3) ...
Processing triggers for menu (2.1.47) ...
                                         
Current status: 6 updates [-3].
22:59 ♒♒♒   ☺  

On Fri, 2015-09-18 at 10:17 +0000, Gianfranco Costamagna wrote:
> BTW I'm mostly sure as we specified in a previous email, this problem
> is not related to the security
> DSA, but with a race condition in an upgrade path handled by apt.
> (probably always here, but with systemd it might be occurring more
> frequently).
> 
> (it might have happened with a one-line patch, or even with a no
> change rebuild)
> 
> 
> A solution might be to do a
> "systemctl stop virtualbox" and check that no "VBoxSVC" is running.
> 
> 
> (and sorry for the bad experience you had)
> 
> 
> cheers,
> 
> Gianfranco
> 
-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150918/a647fbfe/attachment-0003.sig>

More information about the Pkg-virtualbox-devel mailing list