213548 CVE-2008-1340 2008-03-16 03:36 0000 app-emulation/vmware-workstation +server +player Multiple vulnerabilities (CVE-2008-{1340,1361,1362,1363,1364,1392}) 2008-05-13 00:14:39 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux ASSIGNED http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html#603 B2 [glsa] P2 normal --- 1 conardcox@gmail.com security@gentoo.org anigel@gmx.fr craig@gentoo.org joshin@hotmail.com vmware@gentoo.org conardcox@gmail.com 2008-03-16 03:36:02 0000 There is a new version of vmware workstation out as of 3/14/2008. The current ebuilds are not compatible with this version. Please add to portage with testable ebuilds, masked for arch. Reproducible: Always Steps to Reproduce: 1. emerge arch vmware-workstation with ~x86 or ~x86_64 2. 3. Actual Results: current ebuilds are unable to fetch vmware-workstation 6 versions. Expected Results: vmware-workstation 6 should be installed carlo@gentoo.org 2008-03-16 21:38:16 0000 5.5.6 has been released, fixing the very same issues, too. While we're at it: I don't understand 4.5.3 isn't masked since the last VMware vulnerability update. For whom it isn't an issue, because the VM guests are not exposed, can unmask it, but for everyone else we should assure even the problem will be noticed, even if the user does not care about GLSAs. ikelos@gentoo.org 2008-03-16 21:45:15 0000 I've bumped workstation to 6.0.3 and player to 2.0.3 in the vmware overlay for a quick bit of testing. Server{-console}-1.0.5 is causing a few issues relating to gcc-4.2.0 compilation vs gcc-4.2.3 runtime, so will take me a bit longer to get a suitable fix in place. Chris has historically dealt with workstation < 6, and I don't have licenses for those versions, so I'm inclined to leave those with him. Please note, the openssl fixes rolled into this update I think were covered by our fix for bug 148682, so I'm not certain how critical this update actually is... conardcox@gmail.com 2008-03-16 22:26:03 0000 (In reply to comment #2) > I've bumped workstation to 6.0.3 and player to 2.0.3 in the vmware overlay for > a quick bit of testing. Server{-console}-1.0.5 is causing a few issues > relating to gcc-4.2.0 compilation vs gcc-4.2.3 runtime, so will take me a bit > longer to get a suitable fix in place. Chris has historically dealt with > workstation < 6, and I don't have licenses for those versions, so I'm inclined > to leave those with him. > > Please note, the openssl fixes rolled into this update I think were covered by > our fix for bug 148682, so I'm not certain how critical this update actually > is... > Thanks, I've pulled it from the overlay and it's working well. There is a question about the vmware-modules version (there's a 1.0.0.18) version that's getting pulled in at the moment that wants to unmerge workstation 6.0.3, but I just masked it. ikelos@gentoo.org 2008-03-16 22:29:14 0000 vmware-modules-1.0.0.18 is for vmware-server-2 (which is badly broken at the moment), so you did the right thing by masking it, just be aware if you ever want to try out server-2, you'll need to unmask it again... 5:) jakub@gentoo.org 2008-03-18 19:56:42 0000 *** Bug 213864 has been marked as a duplicate of this bug. *** craig@gentoo.org 2008-03-19 10:36:22 0000 FYI: renaming vmware-server-1.0.4.56528.ebuild to vmware-server-1.0.5.80187.ebuild and then merging worked without any problems, VMWare runs fine. All patches are still needed. BTW: Is there any source where people can look for the purpose of a specific patch? Reviewing all patches is probably not very efficient. ikelos@gentoo.org 2008-03-20 08:02:55 0000 Craig, There's an issue for some people using GCC 4.2.3 that causes vmware-server-console-1.0.5 (and, as it turns out, 1.0.4) not to run because of the packaged libgcc_s.so.1 looking for gcc-4.2.0. I'd like to get this fixed before rushing out a version bump and then having to bump again with the fix. Please note that many of the vulnerabilties listed in the advisory were pertinent to windows systems running vmware, and the openssl issues were manually fixed by us earlier. The only flaw that seems to directly affect us is use of an old libpng... The patch names or the contents of the patches themselves are the only method to determine if they're still needed. Having written most of the patches, they relate mostly to altering the startup scripts to work in a Gentoo environment, and so will always be necessary. Getting Gentoo installed through portage is not an easy task and takes a bit of mangling, as the patches show... 5;) craig@gentoo.org 2008-03-20 09:16:09 0000 I know it's not that easy, especially for packages like VMWare! I also reviewed all the patches. :) Thanks for the clarification and good work. As soon as 1.0.5 is in Portage, I'll upgrade several machines here and will report back wheather if it causes any problems or not. anigel@gmx.fr 2008-03-20 11:13:19 0000 Created an attachment (id=146644) vmware-workstation-5.5.6.80404.ebuild Hi, I already posted this to the vmware alias list, but got no answer. So trying here. I have been working on a modified ebuild for vmware-ws-5.5.6 build 80404. It still has problems, but may help to build a valid one. jakub@gentoo.org 2008-03-20 14:09:51 0000 *** Bug 214044 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2008-03-20 18:56:07 0000 CVE-2008-1340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1340): Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.0.x before 6.0.3, VMware Player 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 allows attackers to cause a denial of service (host OS crash) via crafted VMCI calls that trigger "memory exhaustion and memory corruption." CVE-2008-1361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1361): VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation that causes the authd process to connect to an arbitrary named pipe, a different vulnerability than CVE-2008-1362. CVE-2008-1362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1362): VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges or cause a denial of service by impersonating the authd process through an unspecified use of an "insecurely created named pipe," a different vulnerability than CVE-2008-1361. CVE-2008-1363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1363): VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation of a config.ini file located in an Application Data folder, which can be used for "hijacking the VMX process." CVE-2008-1364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1364): Unspecified vulnerability in the DHCP service in VMware Workstation 5.5.x before 5.5.6, VMware Player 1.0.x before 1.0.6, VMware ACE 1.0.x before 1.0.5, VMware Server 1.0.x before 1.0.5, and VMware Fusion 1.1.x before 1.1.1 allows attackers to cause a denial of service. CVE-2008-1392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1392): The default configuration of VMware Workstation 6.0.2, VMware Player 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 makes the console of the guest OS accessible through anonymous VIX API calls, which has unknown impact and attack vectors. rbu@gentoo.org 2008-03-22 01:54:32 0000 We have the following targets to meet in the tree: =app-emulation/vmware-workstation-5.5.6.79688 KEYWORDS="amd64 x86" =app-emulation/vmware-workstation-6.0.3.80004 KEYWORDS="~amd64 ~x86" =app-emulation/vmware-server-1.0.5.79847 KEYWORDS="~amd64 x86" =app-emulation/vmware-player-1.0.6.79688 KEYWORDS="amd64 x86" =app-emulation/vmware-player-2.0.3.80004 KEYWORDS="~amd64 ~x86" vmware herd, how far along are we here? ikelos@gentoo.org 2008-03-22 11:12:15 0000 Ok, now in the tree are: =app-emulation/vmware-workstation-6.0.3.80004 KEYWORDS="~amd64 ~x86" =app-emulation/vmware-server-1.0.5.80187 KEYWORDS="~amd64 ~x86" =app-emulation/vmware-server-console-1.0.5.80187 KEYWORDS="~amd64 ~x86" =app-emulation/vmware-player-1.0.6.80404 KEYWORDS="~amd64 ~x86" =app-emulation/vmware-player-2.0.3.80004 KEYWORDS="~amd64 ~x86" Herdstat says Chris is away, so I'm not sure about workstation 5.5.6. It should be a simple bump, but I can't test it easily myself. player-1.0.6, server-console-1.0.5 and probably workstation-5.5.6 all have an issue (it was apparently present in earlier versions, but no one reported it), whereby the version of gcc vmware compiled them with causes a mismatch and they won't start. All OSes appear to be seeing this. There's nothing we can easily/reliably do in the ebuild, but there is a potential workaround. With Chris away, and me off for easter in an hour or two, it would be good if security@g.o could mask/stable request themselves, if they feel it necessary. Thanks... 5:) wolf31o2@gentoo.org 2008-04-04 01:33:06 0000 OK, I'm hitting the GCC error with 5.5.6, which is now in the overlay. I'll be looking into this more and will try to get it fixed and in the tree ASAP. wolf31o2@gentoo.org 2008-04-04 01:45:50 0000 OK, 5.5.6.80404 is now in the tree. anigel@gmx.fr 2008-04-07 20:29:05 0000 Thanks Chris ;). rbu@gentoo.org 2008-04-08 13:19:41 0000 Arches, please test and mark stable: =app-emulation/vmware-workstation-5.5.6.80404 KEYWORDS="amd64 x86" =app-emulation/vmware-server-1.0.5.79847 KEYWORDS="~amd64 x86" =app-emulation/vmware-player-1.0.6.79688 KEYWORDS="amd64 x86" craig@gentoo.org 2008-04-09 17:15:52 0000 Isn't it 1.0.5.80187 instead of app-emulation/vmware-server-1.0.5.79847 and app-emulation/vmware-player-1.0.6.80404 instead of app-emulation/vmware-player-1.0.6.79688?!? rbu@gentoo.org 2008-04-09 19:31:27 0000 Craig, you are obviously right. Seems I copied from the wrong post. -- Arches, please test and mark stable: =app-emulation/vmware-workstation-5.5.6.80404 KEYWORDS="amd64 x86" =app-emulation/vmware-server-1.0.5.80187 KEYWORDS="~amd64 x86" =app-emulation/vmware-player-1.0.6.80404 KEYWORDS="amd64 x86" py@gentoo.org 2008-05-06 14:25:50 0000 (In reply to comment #19) > Craig, you are obviously right. Seems I copied from the wrong post. > > -- > > Arches, please test and mark stable: > =app-emulation/vmware-workstation-5.5.6.80404 KEYWORDS="amd64 x86" > =app-emulation/vmware-server-1.0.5.80187 KEYWORDS="~amd64 x86" > =app-emulation/vmware-player-1.0.6.80404 KEYWORDS="amd64 x86" > any news here? fauli@gentoo.org 2008-05-07 14:56:51 0000 x86 stable, sorry for the delay. maekke@gentoo.org 2008-05-12 15:47:37 0000 (In reply to comment #21) > x86 stable, sorry for the delay. same for amd64. all arches done. py@gentoo.org 2008-05-12 16:44:50 0000 glsa request filed. pva@gentoo.org 2008-05-13 00:14:39 0000 Fixed in release snapshot. 146644 2008-03-20 11:13 0000 vmware-workstation-5.5.6.80404.ebuild vmware-workstation-5.5.6.80404.ebuild text/plain aW5oZXJpdCB2bXdhcmUgZXV0aWxzIHZlcnNpb25hdG9yCgpNWV9QPSJWTXdhcmUtd29ya3N0YXRp b24tJChyZXBsYWNlX3ZlcnNpb25fc2VwYXJhdG9yIDMgLSAkUFYpIgoKREVTQ1JJUFRJT049IkVt dWxhdGUgYSBjb21wbGV0ZSBQQyBvbiB5b3VyIFBDIHdpdGhvdXQgdGhlIHVzdWFsIHBlcmZvcm1h bmNlIG92ZXJoZWFkIG9mIG1vc3QgZW11bGF0b3JzIgpIT01FUEFHRT0iaHR0cDovL3d3dy52bXdh cmUuY29tL2Rvd25sb2FkL3dzL3dzNS5odG1sIgpTUkNfVVJJPSJtaXJyb3I6Ly92bXdhcmUvc29m dHdhcmUvd2tzdC8ke01ZX1B9LnRhci5negogICAgICAgIGh0dHA6Ly9kb3dubG9hZC5zb2Z0cGVk aWEucm8vbGludXgvJHtNWV9QfS50YXIuZ3oKICAgICAgICBodHRwOi8vcGxhdGFuLnZjLmN2dXQu Y3ovZnRwL3B1Yi92bXdhcmUvJHtBTllfQU5ZfS50YXIuZ3oKICAgICAgICBodHRwOi8vcGxhdGFu LnZjLmN2dXQuY3ovZnRwL3B1Yi92bXdhcmUvb2Jzb2xldGUvJHtBTllfQU5ZfS50YXIuZ3oKICAg ICAgICBodHRwOi8vZnRwLmN2dXQuY3ovdm13YXJlLyR7QU5ZX0FOWX0udGFyLmd6CiAgICAgICAg aHR0cDovL2Z0cC5jdnV0LmN6L3Ztd2FyZS9vYnNvbGV0ZS8ke0FOWV9BTll9LnRhci5negogICAg ICAgIGh0dHA6Ly9rbmlob3ZueS5jdnV0LmN6L2Z0cC9wdWIvdm13YXJlLyR7QU5ZX0FOWX0udGFy Lmd6CiAgICAgICAgaHR0cDovL2tuaWhvdm55LmN2dXQuY3ovZnRwL3B1Yi92bXdhcmUvb2Jzb2xl dGUvJHtBTllfQU5ZfS50YXIuZ3oiCgpMSUNFTlNFPSJ2bXdhcmUiClNMT1Q9IjAiCktFWVdPUkRT PSItKiB+YW1kNjQgfng4NiIKSVVTRT0iIgpSRVNUUklDVD0ic3RyaXAgZmV0Y2giCgojIHZtd2Fy ZS13b3Jrc3RhdGlvbiBzaG91bGQgbm90IHVzZSB2aXJ0dWFsL2xpYmMgYXMgdGhpcyBpcyBhCiMg cHJlY29tcGlsZWQgYmluYXJ5IHBhY2thZ2UgdGhhdHMgbGlua2VkIHRvIGdsaWJjLgpSREVQRU5E PSJzeXMtbGlicy9nbGliYwoJYW1kNjQ/ICgKCQlhcHAtZW11bGF0aW9uL2VtdWwtbGludXgteDg2 LWd0a2xpYnMgKQoJeDg2PyAoCgkJeDExLWxpYnMvbGliWHJhbmRyCgkJeDExLWxpYnMvbGliWGN1 cnNvcgoJCXgxMS1saWJzL2xpYlhpbmVyYW1hCgkJeDExLWxpYnMvbGliWGkKCQl2aXJ0dWFsL3hm dCApCgkhYXBwLWVtdWxhdGlvbi92bXdhcmUtcGxheWVyCgkhYXBwLWVtdWxhdGlvbi92bXdhcmUt c2VydmVyCgl+YXBwLWVtdWxhdGlvbi92bXdhcmUtbW9kdWxlcy0xLjAuMC4xNQoJITxhcHAtZW11 bGF0aW9uL3Ztd2FyZS1tb2R1bGVzLTEuMC4wLjE1CgkhPj1hcHAtZW11bGF0aW9uL3Ztd2FyZS1t b2R1bGVzLTEuMC4wLjE2Cgk+PWRldi1sYW5nL3BlcmwtNQoJc3lzLWFwcHMvcGNpdXRpbHMiCgpT PSR7V09SS0RJUn0vdm13YXJlLWRpc3RyaWIKClJVTl9VUERBVEU9Im5vIgoKZGlyPS9vcHQvdm13 YXJlL3dvcmtzdGF0aW9uCkRkaXI9JHtEfS8ke2Rpcn0KClFBX1RFWFRSRUxTX3g4Nj0iJHtkaXI6 MX0vbGliL2xpYi9saWJnZGsteDExLTIuMC5zby4wL2xpYmdkay14MTEtMi4wLnNvLjAiClFBX0VY RUNTVEFDS194ODY9IiR7ZGlyOjF9L2Jpbi92bW5ldC1icmlkZ2UKCSR7ZGlyOjF9L2Jpbi92bW5l dC1kaGNwZAoJJHtkaXI6MX0vYmluL3ZtbmV0LW5hdGQKCSR7ZGlyOjF9L2Jpbi92bW5ldC1uZXRp ZnVwCgkke2RpcjoxfS9iaW4vdm1uZXQtc25pZmZlcgoJJHtkaXI6MX0vYmluL3Ztd2FyZS1sb29w Cgkke2RpcjoxfS9iaW4vdm13YXJlLXBpbmcKCSR7ZGlyOjF9L2Jpbi92bXdhcmUtdmRpc2ttYW5h Z2VyCgkke2RpcjoxfS9saWIvYmluL3Ztd2FyZQoJJHtkaXI6MX0vbGliL2Jpbi92bXdhcmUtdm14 Cgkke2RpcjoxfS9saWIvYmluL3ZtcnVuCgkke2RpcjoxfS9saWIvYmluL3ZtcGxheWVyCgkke2Rp cjoxfS9saWIvYmluLWRlYnVnL3Ztd2FyZS12bXgKCSR7ZGlyOjF9L2xpYi9saWIvbGlicGl4b3Bz LnNvLjIuMC4xL2xpYnBpeG9wcy5zby4yLjAuMSIKClFBX1RFWFRSRUxTX2FtZDY0PSIke2Rpcjox fS9saWIvbGliL2xpYmdkay14MTEtMi4wLnNvLjAvbGliZ2RrLXgxMS0yLjAuc28uMCIKUUFfRVhF Q1NUQUNLX2FtZDY0PSIke2RpcjoxfS9iaW4vdm1uZXQtYnJpZGdlCgkke2RpcjoxfS9iaW4vdm1u ZXQtZGhjcGQKCSR7ZGlyOjF9L2Jpbi92bW5ldC1uYXRkCgkke2RpcjoxfS9iaW4vdm1uZXQtbmV0 aWZ1cAoJJHtkaXI6MX0vYmluL3ZtbmV0LXNuaWZmZXIKCSR7ZGlyOjF9L2Jpbi92bXdhcmUtbG9v cAoJJHtkaXI6MX0vYmluL3Ztd2FyZS1waW5nCgkke2RpcjoxfS9iaW4vdm13YXJlLXZkaXNrbWFu YWdlcgoJJHtkaXI6MX0vbGliL2Jpbi92bXdhcmUKCSR7ZGlyOjF9L2xpYi9iaW4vdm13YXJlLXZt eAoJJHtkaXI6MX0vbGliL2Jpbi92bXJ1bgoJJHtkaXI6MX0vbGliL2Jpbi92bXBsYXllcgoJJHtk aXI6MX0vbGliL2Jpbi1kZWJ1Zy92bXdhcmUtdm14Cgkke2RpcjoxfS9saWIvbGliL2xpYnBpeG9w cy5zby4yLjAuMS9saWJwaXhvcHMuc28uMi4wLjEiCgpwa2dfbm9mZXRjaCgpIHsKCWVpbmZvICJQ bGVhc2UgZG93bmxvYWQgJHtNWV9QfS50YXIuZ3oiCgllaW5mbyAiZnJvbSAke0hPTUVQQUdFfSBh bmQgcGxhY2UgdGhlbSBpbiAke0RJU1RESVJ9Igp9CgpzcmNfaW5zdGFsbCgpIHsKCXZtd2FyZV9z cmNfaW5zdGFsbAoKCWRvaWNvbiBsaWIvc2hhcmUvcGl4bWFwcy92bXdhcmUtcGxheWVyLnBuZwoJ bWFrZV9kZXNrdG9wX2VudHJ5IHZtd2FyZSAiVk1XYXJlIFdvcmtzdGF0aW9uIiAke1BOfS5wbmcg U3lzdGVtCgltYWtlX2Rlc2t0b3BfZW50cnkgdm1wbGF5ZXIgIlZNV2FyZSBQbGF5ZXIiIHZtd2Fy ZS1wbGF5ZXIucG5nIFN5c3RlbQp9Cgpwa2dfcG9zdGluc3QoKSB7Cgl2bXdhcmVfcGtnX3Bvc3Rp bnN0Cglld2FybiAiVm13YXJlIFdvcmtzdGF0aW9uIGhhcyBpc3N1ZXMgb24gc3lzdGVtcyB3aXRo IGhhbCBpbnN0YWxsZWQgYnV0IgoJZXdhcm4gIm5vdCBydW5uaW5nLiBJZiB5b3UgZXhwZXJpZW5j ZSB0cm91YmxlIHdpdGggVk13YXJlIGxvYWRpbmcsIHRyeSIKCWV3YXJuICJzdGFydGluZyB0aGUg aGFsIGRhZW1vbi4iCn0K