Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 193196
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 193196 depends on: Show dependency tree
Bug 193196 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-09-20 15:46 0000 
Hi, we need new ebuilds for 
app-emulation/vmware-server-1.0.4
and
app-emulation/vmware-workstation-6.0.1

older packages should then be masked AFAIK.

See http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0356.html

You can get the newest version here:
http://www.vmware.com/download/server/ ->
http://download3.vmware.com/software/vmserver/VMware-server-1.0.4-56528.tar.gz

------- Comment #1 From Stefan Behte 2007-09-20 15:47:58 0000 ------- 
Changed from "Applications" to "Ebuilds" because that fits better.

------- Comment #2 From Pierre-Yves Rofes 2007-09-20 16:00:52 0000 ------- 
thanks for the report. Vmware, please bump ase necessary.

------- Comment #3 From Mike Auty 2007-09-20 16:21:45 0000 ------- 
vmware-workstation-6.0.1
vmware-player-2.0.1
vmware-server-1.0.4

have all been bumped in the vmware overlay, but are not yet fully tested. 
Vmware-server seems to work OK, vmware-workstation is behaving itself, but
requires not only the 200 Mb download to get working, but another 67 Mb because
they changed the modules again, meaning we've had to revert to using their
sources.

How urgent a bump requirement is this?  Do we have time to make sure the
ebuilds aren't badly broken before they go into the main tree?

------- Comment #4 From Mike Auty 2007-09-20 16:24:19 0000 ------- 
Please also note, I've got no idea what's going on with workstation 4.5 or 5.5,
I don't even know if they've had security releases made by upstream...

------- Comment #5 From Stefan Behte 2007-09-20 16:31:58 0000 ------- 
I successfully just cp'ed
app-emulation/vmware-server/vmware-server-1.0.3.44356.ebuild to
vmware-server-1.0.4.56528.ebuild, did an "ebuild
vmware-server-1.0.4.56528.ebuild digest" and ebuild
vmware-server-1.0.4.56528.ebuild merge".
It emerged without problems, vmware-config.pl worked, and I could start a guest
system inside vmware.

Though, I haven't checked all the files in
app-emulation/vmware-server/files/general, so I don't know, if all of them are
still neccessary.

"Updated versions of all supported hosted products and all ESX 2x
products and patches for ESX 30x address critical security updates. "
-> seems to me that they don't support and/or patch the old versions anymore.


>How urgent a bump requirement is this?  Do we have time to make sure the
>ebuilds aren't badly broken before they go into the main tree?

From the advisory: "This release fixes a security vulnerability that could
allow a guest operating system user with administrative privileges to cause
memory corruption in a host process, and thus potentially execute arbitrary
code on the host. (CVE-2007-4496) "

Well, depending on your point of view you might regard this as worst-case
scenario or not. I'd prefer to have the ebuilds properly tested, but I'm not
the person to decide that.


BTW: Is there documentation on ebuilds? Things like what the patches are for?

------- Comment #6 From Mike Auty 2007-09-20 16:35:08 0000 ------- 
*** Bug 193203 has been marked as a duplicate of this bug. ***

------- Comment #7 From Stefan Behte 2007-09-20 16:41:07 0000 ------- 
The advisory says under "I. Arbitrary code execution and denial of service
vulnerabilities":
"VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455)"

I only found this on their page (where you can download 6.0.1 eval):
http://www.vmware.com/download/ws/eval.html

Maybe it's just an upgrade for buyers?!

------- Comment #8 From Robert Buchholz 2007-09-20 16:56:37 0000 ------- 
(In reply to comment #3)
> How urgent a bump requirement is this?  Do we have time to make sure the
> ebuilds aren't badly broken before they go into the main tree?

There have been minor-version updates for our stable versions, so you can bump
to them, too.

You can go:

vmware-workstation
  stable   5.5.4.44386 -> 5.5.5.56455
  unstable 6.0.0.45731 -> 6.0.1.55017
  is 4.5.3.19414 affected?

vmware-player
  stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
  unstable 2.0.0.45731 -> 2.0.1.55017

vMware-server
  unstable 1.0.3.44356 ->  1.0.4.56528

------- Comment #9 From Mike Auty 2007-09-20 17:27:53 0000 ------- 
Status:

vmware-workstation
  stable   5.5.4.44386 -> 5.5.5.56455
  unstable 6.0.0.45731 -> 6.0.1.55017 (TESTING - IN OVERLAY)
  is 4.5.3.19414 affected?

vmware-player
  stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
  unstable 2.0.0.45731 -> 2.0.1.55017 (TESTING - IN OVERLAY)

vmware-server
  unstable 1.0.3.44356 (MASKED) ->  1.0.4.56528  (FIXED - IN TREE)

vmware-ESX packages
  Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug
172556.  We don't have anyone else that we know of with ESX kit to test/digest
for us.

I'll work on getting workstation-6 and player-2 into the main tree after a bit
more testing.  As to the stable ebuilds, they tend to be handled by Chris G and
I'd appreciate if he could look after bumping those please?  Let me know if
their module numbers mismatch for any reason...

------- Comment #10 From Chris Gianelloni (RETIRED) 2007-09-20 18:12:05 0000 ------- 
(In reply to comment #9)
> vmware-ESX packages
>   Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug
> 172556.  We don't have anyone else that we know of with ESX kit to test/digest
> for us.

None of this matters, as the only ESX packages are client-side.  ESX is its own
OS, so it doesn't run on Gentoo.

> I'd appreciate if he could look after bumping those please?  Let me know if
> their module numbers mismatch for any reason...

I'll get on these today.

------- Comment #11 From Chris Gianelloni (RETIRED) 2007-09-20 22:41:41 0000 ------- 
(In reply to comment #9)
> Status:
> 
> vmware-workstation
>   stable   5.5.4.44386 -> 5.5.5.56455
(TESTING - IN OVERLAY)

>   is 4.5.3.19414 affected?

No clue.  I would suspect that it is affected.  I can mask the package, if you
like, as VMware no longer provides updates for this series.

> vmware-player
>   stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
(TESTING - IN OVERLAY)

I'm about to throw these new versions into the tree.  I really need someone to
check out VMware Player, since I have Workstation installed and can't install
both.

------- Comment #12 From Stefan Behte 2007-09-20 22:49:13 0000 ------- 
Just attach the ebuild and I'll test it, I don't have layman installed and have
no clue how to use it.

------- Comment #13 From Mike Auty 2007-09-20 22:51:15 0000 ------- 
30 second guide to layman:

emerge layman

layman -a vmware

vi /etc/make.conf
  Add in line "source /usr/portage/local/layman/make.conf"

emerge vmware-player...  5;)

------- Comment #14 From Mike Auty 2007-09-20 22:54:42 0000 ------- 
Sorry for the spam, I forgot to mention that failing that, the ebuild's at:

http://overlays.gentoo.org/proj/vmware/browser/trunk/app-emulation/vmware-player/vmware-player-1.0.5.56455.ebuild

------- Comment #15 From Stefan Behte 2007-09-20 23:23:16 0000 ------- 
While waiting for a reply I figured out layman by myself which was indeed done
in 30 seconds.

VMware-player-1.0.5-56455 worked just fine after adding it to ~x86 keywords.
I just noted a "scanelf" and the "libpng12.so.0" line (see below):

[...]
 * checking vmware-libcrypto.so.0.9.7l.tar.bz2 ;-) ...                         
                                                                               
      [ ok ]
>>> Unpacking source...
>>> Unpacking VMware-player-1.0.5-56455.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work
>>> Unpacking vmware-any-any-update113.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work
 * Fallback PaX marking -m
scanelf: Nothing to scan !?
 * Applying various patches (bugfixes/updates) ...
[...]

It installed cleanly.

and the "usual" message when runing vmplayer:
/opt/vmware/player/lib/bin/vmplayer:
/opt/vmware/player/lib/lib/libpng12.so.0/libpng12.so.0: no version information
available (required by /usr/lib/libcairo.so.2)

A guest system ran without problems.

For app-emulation/vmware-player-2.0.1.55017 I also had to unmask
app-emulation/vmware-modules-1.0.0.17.

Both of them compiled without problems (but vmware-player spit out the same
scanelf warning as mentioned above). A guest ran without problems. When
starting vmplayer it says: "/usr/share/themes/Clearlooks/gtk-2.0/gtkrc:62:
error: unexpected identifier `animation', expected character `}'", but
everything in the GUI looks ok for me.

It took some time to download, because my ISP Arcor has problems delivering the
bandwith I'm paying for; and unfortunately my PC is not lightning fast.

BTW: Tested with kernel 2.6.21-gentoo-r3

------- Comment #16 From Stefan Behte 2007-09-20 23:27:58 0000 ------- 
The sections in gtkrc look like this:
It's the "animation" line vmware-player complained about. This seems to be a
cosmetic error, as vmware-player works. I just wanted to give full info:

style "clearlooks-default"
{
 [...]

  engine "clearlooks"
  {
    #scrollbar_color   = "#76acde"
    menubarstyle      = 2       # 0 = flat, 1 = sunken, 2 = flat gradient
    animation         = FALSE
    style             = CLASSIC
    radius            = 3.0
  }
}

------- Comment #17 From Chris Gianelloni (RETIRED) 2007-09-21 00:53:01 0000 ------- 
OK.  I bumped the vmware-workstation and vmware-player (5.5.5 and 1.0.5)
versions in the tree.

Thanks for testing, Craig.  =]

------- Comment #18 From Stefan Behte 2007-09-21 01:04:47 0000 ------- 
You're welcome!

Oh, and thanks to Mike for the 30-second-guide (which I didn't need anymore,
but it was kind of you, thanks) :)

What about the things about scanelf, gtkrc and libpng that I mentioned? Are
those all just cosmetic?

------- Comment #19 From Mike Auty 2007-09-21 07:29:40 0000 ------- 
Yep, those are all pretty much cosmetic.  The scanelf stuff is for the
selinux/pax people.  The gtkrc issue seems not to affect the working of the
vmware-packages, and finally the libpng stuff isn't a problem unless you have a
very particular version of cairo in which case the whole thing won't start, but
it affects a very few number of systems these days...

Thanks for pointing them out though, it kinda means everything's working
exactly the way it always has...  5;)

------- Comment #20 From Robert Buchholz 2007-09-21 07:58:39 0000 ------- 
Arches, please test and mark stable:
  app-emulation/vmware-workstation-5.5.5.56455
  app-emulation/vmware-player-1.0.5.56455
Targets are: "amd64 x86"

------- Comment #21 From Christian Faulhammer 2007-09-23 12:30:30 0000 ------- 
x86 stable

------- Comment #22 From Mike Auty 2007-10-04 07:45:49 0000 ------- 
*** Bug 194670 has been marked as a duplicate of this bug. ***

------- Comment #23 From Mike Doty 2007-10-11 07:16:19 0000 ------- 
vmware-workstation marked stable on amd64.  someone else will have to do
vmware-player.

------- Comment #24 From Mike Auty 2007-10-20 20:47:06 0000 ------- 
I bumped to vmware-workstation-6.0.1 and vmware-player-2.0.1 in the tree (both
were ~ARCH before and are still so now) a while ago, and have just now masked
off workstation-6.0.0 and vmware-player-2.0.0.

Just by way of summary, it appears that we're waiting for stabilization of
vmware-player-1.0.5 on amd64, and then masking off the old/vulnerable stable
versions of workstation and player...  5:)

------- Comment #25 From Chris Gianelloni (RETIRED) 2007-11-06 23:06:58 0000 ------- 
OK.  I marked 1.0.5 stable on amd64...

------- Comment #26 From Robert Buchholz 2007-11-07 01:24:40 0000 ------- 
GLSA request filed.

------- Comment #27 From Pierre-Yves Rofes 2007-11-18 21:15:32 0000 ------- 
GLSA 200711-23

------- Comment #28 From Martin Smith 2008-04-16 13:25:54 0000 ------- 
Hello all,

I run:
[ebuild   R   ] app-emulation/vmware-player-1.0.6.80404

And glsa-check is still whining at me about being vulnerable to this 200711-23
GLSA. Any advice?

------- Comment #29 From Matthias Geerdsen 2008-04-16 14:27:22 0000 ------- 
I just updated the GLSA to include the newer versions as unaffected.

Thanks for letting us know.

-- /var/www/glsamaker.gentoo.org/data/2007/11/23.xml    2007-11-18
21:03:41.000000000 +0000
+++ -   2008-04-16 14:18:02.596726000 +0000
@@ -17,11 +17,13 @@
   <affected>
     <package name="app-emulation/vmware-workstation" auto="yes" arch="*">
       <unaffected range="rge">5.5.5.56455</unaffected>
+      <unaffected range="rge">5.5.6.80404</unaffected>
       <unaffected range="ge">6.0.1.55017</unaffected>
       <vulnerable range="lt">6.0.1.55017</vulnerable>
     </package>
     <package name="app-emulation/vmware-player" auto="yes" arch="*">
       <unaffected range="rge">1.0.5.56455</unaffected>
+      <unaffected range="rge">1.0.6.80404</unaffected>
       <unaffected range="ge">2.0.1.55017</unaffected>
       <vulnerable range="lt">2.0.1.55017</vulnerable>
     </package>
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug