Ubuntu
virtualbox-guest-additions-iso package

SRU virtualbox-ext-pack, virtualbox-guest-additions-iso to match virtualbox versions

Bug #1540243 reported by Jan Henke
42
This bug affects 9 people
Affects Status Importance Assigned to Milestone
virtualbox-ext-pack (Ubuntu)
Fix Released
Low
Unassigned
Wily
Fix Released
Low
Unassigned
Xenial
Fix Released
Low
Unassigned
virtualbox-guest-additions-iso (Ubuntu)
Fix Released
Low
Unassigned
Precise
Fix Released
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Vivid
Won't Fix
Low
Unassigned
Wily
Fix Released
Low
Unassigned
Xenial
Fix Released
Low
Unassigned

Bug Description

[Impact]

 * some ext-pack and guest-additions-iso versions are too old to be useful with newer virtualbox releases

[Test Case]

* install a virtualbox machine and extpack/guest-additions, update virtualbox from -security, and in some case you won't be able to start the machine anymore

[Regression Potential]

 * none.

[Other Info]

Due to upstream's patch policy, security updated are newer minor releases. That is great for the user. But the catch is that just the main virtua box packages (virtualbox, virtualbox-qt and virtualbox-dkms) are updated.

Both virtualbox-guest-additions-iso and virtualbox-ext-pack become useless after the security update is installed, as the minor version must match for it to work. While the virtualbox-ext-pack is arguably relatively easy to find on upstream's webpage (which one has to know about and go there yourself), the guest additions iso actually has no public download, since it always comes bundled with the virtualbox releases.

Long story short, please also update these packages whenever you upload a new minor version as security update, otherwise you make those packages completely useless.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: virtualbox-guest-additions-iso 5.0.4-1
ProcVersionSignature: Ubuntu 4.2.0-25.30-generic 4.2.6
Uname: Linux 4.2.0-25-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: XFCE
Date: Mon Feb 1 08:32:31 2016
InstallationDate: Installed on 2015-11-04 (88 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
PackageArchitecture: all
SourcePackage: virtualbox-guest-additions-iso
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Jan Henke (jhe) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox-ext-pack (Ubuntu):
status: New → Confirmed
Changed in virtualbox-guest-additions-iso (Ubuntu):
status: New → Confirmed
Revision history for this message
Peter John Allebone (allebone) wrote :

This can potentially cause issues on guests running with 3d support as I just found out. Came here to log the same bug as I had to get them from http://download.virtualbox.org/virtualbox/

Pete

Revision history for this message
Kevin Funk (kfunk) wrote :

Work-around for extpack:

$ wget http://download.virtualbox.org/virtualbox/5.0.14/Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack
$ sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"
$ sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.14-105127.vbox-extpack

Revision history for this message
Jan Henke (jhe) wrote :

@kfunk: There is also a GUI option for that, but that is not the point of this bug. It is possible to download these things manually, but they are also packaged, so the packaged version must continue to work even after a security related update.

That is currently not the case, so the whole point is to make the package maintainer aware he/she needs to update those associated packages as well.

Revision history for this message
Kevin Funk (kfunk) wrote :

I didn't know there's a GUI option.

I agree it's a bug which needs to be handled; that's why I said "work-around", not "fix".

Gianfranco Costamagna (costamagnagianfranco)
summary: - Packaged version must match version of virtualbox package
+ SRU virtualbox-ext-pack, virtualbox-guest-additions-iso to match
+ virtualbox versions
description: updated
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

 virtualbox-ext-pack - 5.0.14-0ubuntu1
 virtualbox-guest-additions-iso - 5.0.14-0ubuntu1.15.10.1
 virtualbox-guest-additions-iso - 4.3.36-1ubuntu1.14.04.1
 virtualbox-guest-additions-iso - 4.1.44-1ubuntu1.12.04.1

ready in my ppa
https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/costamagnagianfranco-ppa

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Hi Security Team, I would like to ask you if I can upload directly or you prefer to do it. it isn't not a strict security upload, but a followup of a security one.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I think it makes sense to update these packages in the -security pocket, along with the other virtualbox security releases.

Changed in virtualbox-ext-pack (Ubuntu Xenial):
status: Confirmed → Fix Released
Changed in virtualbox-ext-pack (Ubuntu Wily):
status: New → Confirmed
Changed in virtualbox-ext-pack (Ubuntu Precise):
status: New → Invalid
Changed in virtualbox-ext-pack (Ubuntu Trusty):
status: New → Invalid
Changed in virtualbox-ext-pack (Ubuntu Vivid):
status: New → Invalid
Changed in virtualbox-guest-additions-iso (Ubuntu Precise):
status: New → Confirmed
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in virtualbox-guest-additions-iso (Ubuntu Vivid):
status: New → Won't Fix
Changed in virtualbox-guest-additions-iso (Ubuntu Wily):
status: New → Confirmed
Changed in virtualbox-guest-additions-iso (Ubuntu Xenial):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
tags: added: upgrade-software-version
Changed in virtualbox-ext-pack (Ubuntu Wily):
importance: Undecided → Low
Changed in virtualbox-ext-pack (Ubuntu Xenial):
importance: Undecided → Low
Changed in virtualbox-guest-additions-iso (Ubuntu Precise):
importance: Undecided → Low
Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
importance: Undecided → Low
Changed in virtualbox-guest-additions-iso (Ubuntu Vivid):
importance: Undecided → Low
Changed in virtualbox-guest-additions-iso (Ubuntu Wily):
importance: Undecided → Low
Changed in virtualbox-guest-additions-iso (Ubuntu Xenial):
importance: Undecided → Low
Amr Ibrahim (amribrahim1987)
tags: added: trusty
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi LocutusOfBorg - I have reviewed the virtualbox-guest-additions-iso changes and have a couple questions about the Precise debdiff.

 1) You removed the virtualbox-guest-additions transitional binary package from the control file but there's no mention of that in the changelog. Was that intentional? If so, what is the reasoning and what affect does it have on installs and upgrades?

 2) In the trusty debdiff, you renamed debian/create-upstream-tarball to debian/get-orig-source.sh and made some changes to it. In the precise debdiff, it looks like you left debian/create-upstream-tarball around despite creating debian/get-orig-source.sh. Was that intentional?

Changed in virtualbox-guest-additions-iso (Ubuntu Precise):
status: Confirmed → Incomplete
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

1) I actually wondered about it. It was a transitional package introduced in 4.0, but in fact lucid did have the old package.
So there isn't an upgrade path issue from precise-1 to precise, but there is one from Lucid to Precise (LTS-LTS).

I restored it, even if Lucid is EOL, we should give users the new package upon upgrade, good catch!

2) I removed it, I don't care too much about the watch file, but since it is fixed in a later release, it would be nice to allow people apt-get source the guest-additions and use the uscan command.
(a plain uscan doesn't work because of upstream changes, but the new script is better than the old one anyway, even if it needs to be called manually because both of them don't work anymore with iso files)

there is a .2 upload on my ppa, feel free to rebase into the previous .1 :)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The debdiffs all look good. I had to make some minor adjustments to the changelogs such as routing them to the security pockets but nothing major. These are building in the security-proposed ppa and will be released sometime today. Thanks!

Changed in virtualbox-guest-additions-iso (Ubuntu Precise):
status: Incomplete → Confirmed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

True, for some reasons ppa doesn't handle security pockets (I tried to change the .changes pocket manually, but dput-ng complains, and I gave up because I don't remember/know how to override the check :p)

thanks!

Mathew Hodson (mhodson)
no longer affects: virtualbox-ext-pack (Ubuntu Vivid)
no longer affects: virtualbox-ext-pack (Ubuntu Trusty)
no longer affects: virtualbox-ext-pack (Ubuntu Precise)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-ext-pack - 5.0.14-1~ubuntu1.15.10.1

---------------
virtualbox-ext-pack (5.0.14-1~ubuntu1.15.10.1) wily-security; urgency=medium

  * Upload to wily, following the virtualbox security upload
    (LP: #1540243)

 -- Gianfranco Costamagna <email address hidden> Thu, 04 Feb 2016 10:12:32 +0100

Changed in virtualbox-ext-pack (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-guest-additions-iso - 4.1.44-1ubuntu1.12.04.1

---------------
virtualbox-guest-additions-iso (4.1.44-1ubuntu1.12.04.1) precise-security; urgency=medium

  * Upload to precise, following the virtualbox security upload
    (LP: #1540243)

 -- Gianfranco Costamagna <email address hidden> Thu, 04 Feb 2016 11:04:25 +0100

Changed in virtualbox-guest-additions-iso (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-guest-additions-iso - 4.3.36-1ubuntu1.14.04.1

---------------
virtualbox-guest-additions-iso (4.3.36-1ubuntu1.14.04.1) trusty-security; urgency=medium

  * Upload to trusty, following the virtualbox security upload
    (LP: #1540243)

 -- Gianfranco Costamagna <email address hidden> Thu, 04 Feb 2016 11:14:10 +0100

Changed in virtualbox-guest-additions-iso (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-guest-additions-iso - 5.0.14-1~ubuntu1.15.10.1

---------------
virtualbox-guest-additions-iso (5.0.14-1~ubuntu1.15.10.1) wily-security; urgency=medium

  * Upload to wily, following the virtualbox security upload
    (LP: #1540243)

 -- Gianfranco Costamagna <email address hidden> Thu, 04 Feb 2016 11:17:47 +0100

Changed in virtualbox-guest-additions-iso (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Kevin Funk (kfunk) wrote :

This is still (or again?) broken in Ubuntu Xenial:

# dpkg -l | grep virtualbox
ii virtualbox 5.0.14-dfsg-2build1 amd64 x86 virtualization solution - base binaries
ii virtualbox-dkms 5.0.14-dfsg-2build1 all x86 virtualization solution - kernel module sources for dkms
ii virtualbox-ext-pack 5.0.16-1 all extra capabilities for VirtualBox, downloader.
ii virtualbox-guest-additions-iso 5.0.16-1 all guest additions iso image for VirtualBox
ii virtualbox-qt 5.0.14-dfsg-2build1 amd64 x86 virtualization solution - Qt based user interface

=> virtualbox at 5.0.14, extpack at 5.0.16.

Revision history for this message
Graham Inggs (ginggs) wrote :

@kfunk:
Virtualbox 5.0.16 hasn't migrated from -proposed yet:
https://launchpad.net/ubuntu/+source/virtualbox/5.0.16-dfsg-2

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.