224637 2008-06-02 17:25 0000 VMware Multiple vulnerabilities (CVE-2007-5671,CVE-2008-{0967,2098,2100}) 2008-07-24 00:28:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux ASSIGNED http://www.vmware.com/security/advisories/VMSA-2008-0008.html B2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org craig@gentoo.org jesse@boldandbusted.com kronenpj@kronenpj.dyndns.org micheleschi@gmail.com reillyeon@qotw.net s.hase@gmx.org vmware@gentoo.org rbu@gentoo.org 2008-06-02 17:25:11 0000 CVE-2008-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098): Heap-based buffer overflow in the VMware Host Guest File System (HGFS) in VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4 build 93057, VMware ACE 2 before 2.0.2 build 93057, and VMware Fusion before 1.1.2 build 87978, when folder sharing is used, allows guest OS users to execute arbitrary code on the host OS via unspecified vectors. rbu@gentoo.org 2008-06-02 17:28:34 0000 We need these fixed versions: Workstation 6.x Linux 6.0.4 build 93057 Player 2.x Linux 2.0.4 build 93057 All others (incl. stable) are not affected. craig@gentoo.org 2008-06-04 17:23:44 0000 The advisory VMSA-2008-0009 says: Workstation 6.x Linux not affected Player 2.x Linux not affected craig@gentoo.org 2008-06-04 17:31:21 0000 Oh damn, wait, that was just one of them, sorry! Also see http://bugs.gentoo.org/show_bug.cgi?id=224861 ikelos@gentoo.org 2008-06-04 22:08:29 0000 Ok, vmware-player and vmware-workstation have been bumped in the overlay. I haven't added them to the tree yet, because I'm still working out some kinks in the new modules. For some reason, vmware decided to bump the module version number, which creates headaches (and a new package vmware-modules-1.0.0.20) for us. I have yet to investigate what vmware-server-1.0.6 needs, but I'll try and work on that in the next few days. If I get hit by a bus or people think I'm taking too long or anything, the vmware overlay's where to look for the bumps for this bug... 5:) ikelos@gentoo.org 2008-06-04 22:09:13 0000 *** Bug 224861 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2008-06-05 07:22:25 0000 Mike, thanks for preparing testing ebuilds in the overlay. I hope they are recent enough to also take care of the issues mentioned here: http://www.vmware.com/security/advisories/VMSA-2008-0009.html rbu@gentoo.org 2008-06-05 07:22:39 0000 *** Bug 224927 has been marked as a duplicate of this bug. *** ikelos@gentoo.org 2008-06-05 08:22:14 0000 We've got testing ebuilds for: vmware-player-2.0.4.93057 vmware-workstation-6.0.4.93057 Sounds like we still need: vmware-server-1.0.6.91891 vmware-player-1.0.7.91707 vmware-workstation-5.5.7.91707 Hopefully I'll get those ready this weekend... craig@gentoo.org 2008-06-05 09:51:01 0000 That would be cool. Let me know, if you need someone for testing. carlo@gentoo.org 2008-06-06 01:44:02 0000 *** Bug 225051 has been marked as a duplicate of this bug. *** carlo@gentoo.org 2008-06-08 14:47:16 0000 *** Bug 225343 has been marked as a duplicate of this bug. *** ikelos@gentoo.org 2008-06-08 15:08:46 0000 Ok, It turns out the following were easy to bump, and are now in the vmware overlay: vmware-server-1.0.6.91891 vmware-player-1.0.7.91707 vmware-workstation-5.5.7.91707 They'll probably be quite easy to push into the tree, and should happen in the next couple of days. The other two should remain in testing in the overlay for the next week. We need as many eyes as possible testing the following versions to ensure that the new modules are all working ok... vmware-player-2.0.4.93057 vmware-workstation-6.0.4.93057 Thanks 5:) micheleschi@gmail.com 2008-06-08 15:15:00 0000 sorry, but where's the overlay ? ikelos@gentoo.org 2008-06-08 19:34:05 0000 You can test it out using layman (emerge layman; layman -a vmware), or you can get it manually from http://overlays.gentoo.org/proj/vmware/ Hope that helps... 5:) micheleschi@gmail.com 2008-06-08 20:05:19 0000 ah... I just discover e new world of gentoo.... Thank's craig@gentoo.org 2008-06-08 21:00:43 0000 Thanks Mike! Unfortunately, I can't see vmware-server-1.0.6.91891 in the vmware layout, I sync'ed right now. Are you sure it's in there?! reillyeon@qotw.net 2008-06-08 21:49:02 0000 Tested vmware-workstation-6.0.4.93057 and vmware-modules-1.0.0.20 on amd64 with gentoo-sources-2.6.25-r4. Everything working as expected. micheleschi@gmail.com 2008-06-08 22:08:47 0000 also for me, uname -a Linux uzzmaster 2.6.25-gentoo-r4 #1 SMP PREEMPT Thu Jun 5 01:02:02 CEST 2008 x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux uzzmaster ~ # emerge vmware-modules vmware-workstation -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] app-emulation/vmware-modules-1.0.0.20 0 kB [1] [ebuild Rf ] app-emulation/vmware-workstation-6.0.4.93057 0 kB [1] Total: 2 packages (2 reinstalls), Size of downloads: 0 kB Fetch Restriction: 1 package Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage uzzmaster ~ # craig@gentoo.org 2008-06-10 14:58:52 0000 Ouch. I just forgot to change the PORTAGE_OVERLAY. :( 1.0.6 works without any problems here. ikelos@gentoo.org 2008-06-14 23:35:46 0000 Ok, The tree now contains: vmware-player-1.0.7.91707 vmware-player-2.0.4.93057 vmware-server-1.0.6.91891 vmware-server-console-1.0.6.91891 vmware-workstation-5.5.7.91707 vmware-workstation-6.0.4.93057 Please let me know if there are any problems or any further work needed for this bug... 5:) ikelos@gentoo.org 2008-06-14 23:39:32 0000 Sorry, also whilst it occurs to me, vmware-workstation-4.5.3 was published in 2005 and was the last update for the 4.5 series (it's downloadable but no longer updated by vmware). Given the two or three recent security bugs with vmware packages, it should really be masked for removal due to lack of upstream support. Unfortunately, I have the feeling there may still be people using it (because it's a pay for product and they may not want to pay to upgrade). So what's the recommendation for it? Mask it or not? carlo@gentoo.org 2008-06-15 08:58:12 0000 (In reply to comment #21) > So what's the recommendation for it? Mask it or not? Should have been done so,long, long ago. rbu@gentoo.org 2008-06-15 09:27:39 0000 VMware Workstation 4.5.3.19414-r7 is already marked vulnerable by several GLSAs, and since it is not slotted, users are therefore advised to upgrade. I agree it should also be removed from the tree in a timely fashion, either by just "cvs rm" or prior mask, at your choice. As for VMware 5.5, it will reach end of life at Nov. 09 2008. We should be prepared to have the 6.0 branch stable prior to that, so people can start upgrading their installations rather sooner than later. rbu@gentoo.org 2008-06-15 09:52:06 0000 Arches, please test and mark stable: =app-emulation/vmware-workstation-5.5.7.91707 =app-emulation/vmware-player-1.0.7.91707 =app-emulation/vmware-server-1.0.6.91891 =app-emulation/vmware-server-console-1.0.6.91891 Target keywords : "amd64 release x86" fauli@gentoo.org 2008-06-16 21:52:28 0000 x86 stable rich0@gentoo.org 2008-06-17 23:54:49 0000 amd64 stable for the vmware-server and vmware-server-console packages (alas - I don't have a workstation license to test) maekke@gentoo.org 2008-06-22 11:43:01 0000 amd64 stable, all arches done. jesse@boldandbusted.com 2008-07-02 21:04:59 0000 Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just sync'd, and it is still masked ~x86. Thanks! In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild: [...] KEYWORDS="-* amd64 ~x86" [...] hoffie@gentoo.org 2008-07-02 21:31:33 0000 (In reply to comment #28) > Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just > sync'd, and it is still masked ~x86. Thanks! > > In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild: > > [...] > KEYWORDS="-* amd64 ~x86" > [...] Looks like you are right, I'm seeing the same in my (up-to-date) cvs checkout. Re-CC'ing x86, adjusting whiteboard. $ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild vmware-player/vmware-player-1.0.7.91707.ebuild vmware-server/vmware-server-1.0.6.91891.ebuild vmware-server-console/vmware-server-console-1.0.6.91891.ebuild vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64 ~x86" vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86" vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86" vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86" Don't see a ChangeLog entry either, so apparently something has gone wrong when committing. x86, please re-check. :) fauli@gentoo.org 2008-07-03 12:33:57 0000 This must have slipped me...fixed hoffie@gentoo.org 2008-07-03 13:40:53 0000 (In reply to comment #30) > This must have slipped me...fixed vmware-workstation looks right now, all the other listed packages are still ~x86, at least in my cvs checkout at the time of writing this. x86 back to the fun... =) $ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild \ vmware-server-console/vmware-server-console-1.0.6.91891.ebuild \ vmware-player/vmware-player-1.0.7.91707.ebuild \ vmware-server/vmware-server-1.0.6.91891.ebuild \ vmware-server-console/vmware-server-console-1.0.6.91891.ebuild vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64 x86" vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86" vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86" vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86" vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86" Jesse Adelman, thanks for reporting this initially, btw. ;) fauli@gentoo.org 2008-07-03 13:53:56 0000 Could you please stop hassling my machine with your negative karma? You mess up all my commits! x86 done...I hope. :)