Discuss the 5.2.22 release

This is for discussing general topics about how to use VirtualBox.
Post Reply
michael
Oracle Corporation
Posts: 682
Joined: 10. May 2007, 09:46
Contact:

Discuss the 5.2.22 release

Post by michael »

Discuss the 5.2.22 release here.
You can download the release here.
Mainly a regression-fix release for 5.2.20.
mooninite
Posts: 16
Joined: 17. Jan 2008, 05:50
Primary OS: Fedora other
VBox Version: OSE Fedora
Guest OSses: RHEL, SuSE, SCO OpenServer, Windows XP

Re: Discuss the 5.2.22 release

Post by mooninite »

Does this release contain any update to the Intel NICs and NAT security issue announced on websites a few days ago?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Discuss the 5.2.22 release

Post by socratis »

@mooninite
The first rule of Fight Club is: you do not talk about Fight Club.
The second rule of Fight Club is: you DO NOT talk about Fight Club!
  • Tyler Durden, 1999
;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Post by Jacob Klein »

Not gonna lie ... that response is a bit insulting. Let's not trivialize the question, please.
I too came here for a proper answer. Can we have one, please?

Here's what I've found so far about the problem:
https://www.zdnet.com/article/virtualbo ... esearcher/
https://github.com/MorteNoir1/virtualbox_e1000_0day
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Discuss the 5.2.22 release

Post by socratis »

Let's put our collective thinking together, shall we?
A 0-day exploit is published. Even my local channel had a report on it. Two days later a new release comes out...

What could be considered as insulting, is the lack of common sense. Methinks...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: Discuss the 5.2.22 release

Post by Martin »

The researcher complains that https://www.virtualbox.org/ticket/16444 "was never considered a security vulnerability".
Looking a the provided information in the ticket I'm not very surprised about it...
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Post by Jacob Klein »

So, is it fixed or not? It's a pretty simple question.
If the question is inappropriate or unanswerable due to policy, then please explicitly say so.

I'm having a difficult time trying to parse your non-answers.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Post by Jacob Klein »

I found this, where the researcher indicates that .22 does contain the fix.
https://github.com/MorteNoir1/virtualbo ... /issues/12
michael
Oracle Corporation
Posts: 682
Joined: 10. May 2007, 09:46
Contact:

Re: Discuss the 5.2.22 release

Post by michael »

Speaking as one of the developers - the rule at Oracle (what Socratis paraphrased) is that only certain people are allowed to comment publicly on security issues at all. I am not one of those people, and I don't think there are any on our team. So we are not even allowed to say that there was a security fix; all public information is in the Oracle critical patch update information[1]. And what happened between October and January will presumably be in the January one. You may think what you want about this policy of course; since I am working for Oracle I follow Oracle policy.

[1] https://www.oracle.com/technetwork/secu ... 28296.html
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: Discuss the 5.2.22 release

Post by Jacob Klein »

Thank you Michael. That does make it clearer. While I'm not sure if I agree with the policy, it is helpful to know that responses are limited by policy. Prior responses in this thread were not clear, to me.

I also found this, which lists all the Critical Patch Updates (CPUs), including prior ones:
https://www.oracle.com/technetwork/topi ... 86861.html
EdT
Posts: 2
Joined: 15. Nov 2018, 14:54

Re: Discuss the 5.2.22 release

Post by EdT »

I never understand why companies are so reluctant to be open about critical fixes. All software companies make them, and kudos to those who are honest.
It seems that asking questions here, when Oracle obfuscate things all the time, is also a trigger for rudeness by some people.
Anyway, I have received an answer to my original question so I leave happy.
Thanks
Ed
johnst1e
Posts: 1
Joined: 11. Dec 2018, 20:17

Re: Discuss the 5.2.22 release

Post by johnst1e »

I just upgraded from 5.2.18 to 5.2.22 and now the video playback leads the audio by about 1 second in all my guests. Is it just me or do others have this problem?
I have a Win 10 64bit host and Slitaz, Debian, Lubuntu, Ubuntu guests and now when I play a youtube video the audio is out of sync in all my guests.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Discuss the 5.2.22 release

Post by socratis »

johnst1e wrote:now the video playback leads the audio by about 1 second in all my guests
I've seen a couple of reports about that 1 second delay. Nothing easily reproducible. And I don't mean reproducible by you, but by other people... ;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
zdamienr
Posts: 1
Joined: 22. Jan 2019, 20:01

Re: Discuss the 5.2.22 release

Post by zdamienr »

I didn't pin it down to a 1 second delay, but I did notice recently that a Youtube video is out of sync (video and audio don't match) when played within Virtualbox.

Host: Windows 10, up to date.
Guest: Arch Linux, up to date apart from freezing virtualbox packages at 5.2.22, using ALSA and not PulseAudio. Firefox 64.0.2.
Also happens in Chromium 71.0.something. And yeah, the audio starting a second or two slow looks like a good description.
Virtualbox: 5.2.22, appropriate Guest Extensions installed

.
Peter15NTl
Posts: 78
Joined: 20. Jan 2017, 17:41

Re: Discuss the 5.2.22 release

Post by Peter15NTl »

Regarding the vulnerability: can a malware or script exit a virtual machine and get full rights on a host in a limited-access host account? i.e., is it safe to work with limited rights in a host in a system with virtual box of old versions? And are version 5.1.xx affected?
Post Reply