VMware Workstation 6.5.2 and earlier, Player 2.5.2 and earlier & ACE 2.5.2 and earlier are susceptible to multiple vulnerabilities because of a bundled copy of libpng and apache. Vulnerability details follow: CVE-2006-5752 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5752): Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. CVE-2007-1863 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1863): cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. CVE-2007-3304 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3304): Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer." CVE-2007-3847 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3847): The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read. CVE-2007-5000 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5000): Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2007-6388 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6388): Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2008-0005 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0005): mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. CVE-2009-0040 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040): The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
Update to comment 1; the Apache CVEs are only relevant to VMWare ACE on Windows. Vadim, could you please bump vmware-workstation & vmware-server to the required new versions so they can be fast-tracked to stable please?
I've added to the tree: vmware-modules-1.0.0.25.ebuild vmware-player-2.5.3.185404.ebuild vmware-workstation-6.5.3.185404.ebuild
I get : Calculating dependencies ... done! [uninstall ] app-emulation/vmware-player-2.5.2.156735-r1 [blocks b ] >=app-emulation/vmware-modules-1.0.0.25 (">=app-emulation/vmware-modules-1.0.0.25" is blocking app-emulation/vmware-player-2.5.2.156735-r1) [ebuild U ] app-emulation/vmware-player-2.5.3.185404 [2.5.2.156735-r1] 98,707 kB [ebuild U ] app-emulation/vmware-modules-1.0.0.25 [1.0.0.24] 478 kB [blocks B ] >=app-emulation/vmware-modules-1.0.0.25 (">=app-emulation/vmware-modules-1.0.0.25" is blocking app-emulation/vmware-player-2.5.2.156735-r1) Total: 2 packages (2 upgrades, 1 uninstall), Size of downloads: 99,185 kB Conflict: 1 block Would you like to merge these packages? [Yes/No] >>> Verifying ebuild manifests !!! A file listed in the Manifest could not be found: /usr/portage/app-emulation/vmware-player/files/2.5.3.185404/vmware-player-extras.py.patch
(In reply to comment #3) > >>> Verifying ebuild manifests > > !!! A file listed in the Manifest could not be found: > /usr/portage/app-emulation/vmware-player/files/2.5.3.185404/vmware-player-extras.py.patch > darn, I do not know how it happened, I mean files in changelog, cvs add commands in bash history... Anyway sorry about that, I recommited folder and two patches.
(In reply to comment #2) > I've added to the tree: > vmware-modules-1.0.0.25.ebuild > vmware-player-2.5.3.185404.ebuild > vmware-workstation-6.5.3.185404.ebuild Arches, please test and mark stable. Target keywords: "amd64 x86"
x86 stable
*** Bug 280455 has been marked as a duplicate of this bug. ***
app-emulation/vmware-player-2.5.3.185404 tested fine on amd64. tanderson asked to commit when finished with server.
I've updated vmware-server ebuild, so server will use system libpng12.so.0.
amd64 stable, all arches done.
added to pending glsa.
(In reply to comment #9) > I've updated vmware-server ebuild, so server will use system libpng12.so.0. > The same should be applied to other vmware packages such as vmware-workstation that suffers the same problem.
This issue was resolved and addressed in GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml by GLSA coordinator Sean Amoss (ackle).
