[Pkg-virtualbox-devel] Bug#798979: Bug#798527: Bug#798979: [SECURITY] [DSA 3359-1] virtualbox security update

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Fri Sep 18 21:43:08 UTC 2015 

(dropping -security from cc list, I don't think this is a security issue, neither a regression,
so it should be handled with the normal s-p-u procedure I guess).

Anyway, I prepared a little update to the jessie-security package
http://debomatic-amd64.debian.net/distribution#stable/virtualbox/4.3.30-dfsg-1+deb8u2/buildlog
It is building right now, and will be available in half an hour or so.

Dirk, can you please give it a try?

many thanks!
(I'm still wondering about the -source package, I'll test something tomorrow and push on unstable
with urgency=high, to be able to s-p-u it soonafter)

cheers, and thanks for the fix


Gianfranco




Il Venerdì 18 Settembre 2015 19:51, Ritesh Raj Sarraf <rrs at debian.org> ha scritto:
Adding the other bug, similar to it, against Unstable.


As mentioned earlier, it does look like we need to add a tighter
dependency in between the dkms/source package and the main virtualbox
package.


I just made the changes, built, and verified locally. And it seems to
be in line with my root cause. Ofcourse, before I'd like we push it to
Unstable first (and close 798527), and then tackle the other stable
releases. And any additional testing is going to help now.


Please see console log below. With the tighter dependency now,
virtualbox does not get picked until its {Pre}Dependency, i.e.
virtualbox-dkms is properly installed.

I have pushed the changes to the git repo, for the master branch.

@Gianfranco: I'm still on the sloppy internet network, so if you have
the bandwidth, please feel free to prepare the new upload.


rrs at chutzpah:/var/tmp/vbox$ apt-cache policy virtualbox virtualbox-dkms
virtualbox:
  Installed: 5.0.4-dfsg-2
  Candidate: 5.0.4-dfsg-2
  Version table:
     5.0.4-dfsg-3 0
        500 file:/var/tmp/vbox/  Packages
*** 5.0.4-dfsg-2 0
        990 http://ftp.debian.org/debian/ testing/contrib amd64
Packages
        500 http://ftp.debian.org/debian/ unstable/contrib amd64
Packages
        100 /var/lib/dpkg/status
virtualbox-dkms:
  Installed: 5.0.4-dfsg-2
  Candidate: 5.0.4-dfsg-2
  Version table:
     5.0.4-dfsg-3 0
        500 file:/var/tmp/vbox/  Packages
*** 5.0.4-dfsg-2 0
        990 http://ftp.debian.org/debian/ testing/contrib amd64
Packages
        500 http://ftp.debian.org/debian/ unstable/contrib amd64
Packages
        100 /var/lib/dpkg/status
22:56 ♒♒♒   ☺    

rrs at chutzpah:/var/tmp/vbox$ sudo aptitude install virtualbox=5.0.4-dfsg
-3 virtualbox-dkms=5.0.4-dfsg-3 virtualbox-qt=5.0.4-dfsg-3
The following packages will be upgraded: 
  virtualbox virtualbox-dkms virtualbox-qt 
3 packages upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B/21.3 MB of archives. After unpacking 12.3 kB will be
freed.
Do you want to continue? [Y/n/?] 
WARNING: untrusted versions of the following packages will be
installed!

Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.

  virtualbox virtualbox-dkms virtualbox-qt 

Do you want to ignore this warning and proceed anyway?
To continue, enter "Yes"; to abort, enter "No": Yes
Reading changelogs... Doneelogs... 33%  
(Reading database ... 332296 files and directories currently
installed.)
Preparing to unpack .../virtualbox-dkms_5.0.4-dfsg-3_all.deb ...

-------- Uninstall Beginning --------
Module:  virtualbox
Version: 5.0.4
Kernel:  4.1.7+ (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this
kernel.

vboxdrv.ko:
- Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
- Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxnetadp.ko:
- Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
- Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxnetflt.ko:
- Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
- Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.


vboxpci.ko:
- Uninstallation
   - Deleting from: /lib/modules/4.1.7+/updates/dkms/
- Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module
version.

depmod.......

DKMS: uninstall completed.

------------------------------
Deleting module version: 5.0.4
completely from the DKMS tree.
------------------------------
Done.
Unpacking virtualbox-dkms (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Preparing to unpack .../virtualbox-qt_5.0.4-dfsg-3_amd64.deb ...
Unpacking virtualbox-qt (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Processing triggers for hicolor-icon-theme (0.13-1) ...
Processing triggers for shared-mime-info (1.3-1) ...
Unknown media type in type 'all/all'
Unknown media type in type 'all/allfiles'
Processing triggers for mime-support (3.59) ...
Processing triggers for gnome-menus (3.13.3-6) ...
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for menu (2.1.47) ...
Processing triggers for man-db (2.7.3-1) ...
Setting up virtualbox-dkms (5.0.4-dfsg-3) ...
Loading new virtualbox-5.0.4 DKMS files...
Building only for 4.1.7+
Building initial module for 4.1.7+
Done.

vboxdrv:
Running module version sanity check.
- Original module
   - No original module exists within this kernel
- Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxnetadp.ko:
Running module version sanity check.
- Original module
   - No original module exists within this kernel
- Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxnetflt.ko:
Running module version sanity check.
- Original module
   - No original module exists within this kernel
- Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

vboxpci.ko:
Running module version sanity check.
- Original module
   - No original module exists within this kernel
- Installation
   - Installing to /lib/modules/4.1.7+/updates/dkms/

depmod....

DKMS: install completed.
(Reading database ... 332296 files and directories currently
installed.)
Preparing to unpack .../virtualbox_5.0.4-dfsg-3_amd64.deb ...
Unpacking virtualbox (5.0.4-dfsg-3) over (5.0.4-dfsg-2) ...
Processing triggers for systemd (226-2) ...
Processing triggers for man-db (2.7.3-1) ...
Setting up virtualbox (5.0.4-dfsg-3) ...
Setting up virtualbox-qt (5.0.4-dfsg-3) ...
Processing triggers for menu (2.1.47) ...
                                        
Current status: 6 updates [-3].
22:59 ♒♒♒   ☺  


On Fri, 2015-09-18 at 10:17 +0000, Gianfranco Costamagna wrote:
> BTW I'm mostly sure as we specified in a previous email, this problem
> is not related to the security
> DSA, but with a race condition in an upgrade path handled by apt.
> (probably always here, but with systemd it might be occurring more
> frequently).
> 
> (it might have happened with a one-line patch, or even with a no
> change rebuild)
> 
> 
> A solution might be to do a
> "systemctl stop virtualbox" and check that no "VBoxSVC" is running.
> 
> 
> (and sorry for the bad experience you had)
> 
> 
> cheers,
> 
> Gianfranco
> 
-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

More information about the Pkg-virtualbox-devel mailing list