Bug 224637 - VMware Multiple vulnerabilities (CVE-2007-5671,CVE-2008-{0967,2098,2100})
Bug#: 224637 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: ASSIGNED Severity: normal Priority: P2
Resolution:  Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://www.vmware.com/security/advisories/VMSA-2008-0008.html
Summary: VMware Multiple vulnerabilities (CVE-2007-5671,CVE-2008-{0967,2098,2100})
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2008-06-02 17:25 0000
Description:   Opened: 2008-06-02 17:25 0000 
CVE-2008-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098):
  Heap-based buffer overflow in the VMware Host Guest File System (HGFS) in
  VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4
  build 93057, VMware ACE 2 before 2.0.2 build 93057, and VMware Fusion before
  1.1.2 build 87978, when folder sharing is used, allows guest OS users to
  execute arbitrary code on the host OS via unspecified vectors.

------- Comment #1 From Robert Buchholz 2008-06-02 17:28:34 0000 ------- 
We need these fixed versions:
Workstation 6.x Linux 6.0.4 build 93057
Player 2.x Linux 2.0.4 build 93057

All others (incl. stable) are not affected.

------- Comment #2 From Stefan Behte 2008-06-04 17:23:44 0000 ------- 
The advisory VMSA-2008-0009 says:
Workstation   6.x       Linux    not affected
Player        2.x       Linux    not affected

------- Comment #3 From Stefan Behte 2008-06-04 17:31:21 0000 ------- 
Oh damn, wait, that was just one of them, sorry!
Also see http://bugs.gentoo.org/show_bug.cgi?id=224861

------- Comment #4 From Mike Auty 2008-06-04 22:08:29 0000 ------- 
Ok,

vmware-player and vmware-workstation have been bumped in the overlay.  I
haven't added them to the tree yet, because I'm still working out some kinks in
the new modules.  For some reason, vmware decided to bump the module version
number, which creates headaches (and a new package vmware-modules-1.0.0.20) for
us.  I have yet to investigate what vmware-server-1.0.6 needs, but I'll try and
work on that in the next few days.

If I get hit by a bus or people think I'm taking too long or anything, the
vmware overlay's where to look for the bumps for this bug...  5:)

------- Comment #5 From Mike Auty 2008-06-04 22:09:13 0000 ------- 
*** Bug 224861 has been marked as a duplicate of this bug. ***

------- Comment #6 From Robert Buchholz 2008-06-05 07:22:25 0000 ------- 
Mike, thanks for preparing testing ebuilds in the overlay. I hope they are
recent enough to also take care of the issues mentioned here:
http://www.vmware.com/security/advisories/VMSA-2008-0009.html

------- Comment #7 From Robert Buchholz 2008-06-05 07:22:39 0000 ------- 
*** Bug 224927 has been marked as a duplicate of this bug. ***

------- Comment #8 From Mike Auty 2008-06-05 08:22:14 0000 ------- 
We've got testing ebuilds for:

vmware-player-2.0.4.93057
vmware-workstation-6.0.4.93057

Sounds like we still need:

vmware-server-1.0.6.91891
vmware-player-1.0.7.91707
vmware-workstation-5.5.7.91707

Hopefully I'll get those ready this weekend...

------- Comment #9 From Stefan Behte 2008-06-05 09:51:01 0000 ------- 
That would be cool. Let me know, if you need someone for testing.

------- Comment #10 From Carsten Lohrke 2008-06-06 01:44:02 0000 ------- 
*** Bug 225051 has been marked as a duplicate of this bug. ***

------- Comment #11 From Carsten Lohrke 2008-06-08 14:47:16 0000 ------- 
*** Bug 225343 has been marked as a duplicate of this bug. ***

------- Comment #12 From Mike Auty 2008-06-08 15:08:46 0000 ------- 
Ok,

It turns out the following were easy to bump, and are now in the vmware
overlay:

vmware-server-1.0.6.91891
vmware-player-1.0.7.91707
vmware-workstation-5.5.7.91707

They'll probably be quite easy to push into the tree, and should happen in the
next couple of days.  The other two should remain in testing in the overlay for
the next week.  We need as many eyes as possible testing the following versions
to ensure that the new modules are all working ok...

vmware-player-2.0.4.93057
vmware-workstation-6.0.4.93057

Thanks  5:)

------- Comment #13 From Michele Schiavo 2008-06-08 15:15:00 0000 ------- 
sorry, but where's the overlay ?

------- Comment #14 From Mike Auty 2008-06-08 19:34:05 0000 ------- 
You can test it out using layman (emerge layman; layman -a vmware), or you can
get it manually from http://overlays.gentoo.org/proj/vmware/

Hope that helps...  5:)

------- Comment #15 From Michele Schiavo 2008-06-08 20:05:19 0000 ------- 
ah...

I just discover e new world of gentoo....

Thank's

------- Comment #16 From Stefan Behte 2008-06-08 21:00:43 0000 ------- 
Thanks Mike!
Unfortunately, I can't see vmware-server-1.0.6.91891 in the vmware layout, I
sync'ed right now. Are you sure it's in there?!

------- Comment #17 From Reilly Grant 2008-06-08 21:49:02 0000 ------- 
Tested vmware-workstation-6.0.4.93057 and vmware-modules-1.0.0.20 on amd64 with
gentoo-sources-2.6.25-r4.  Everything working as expected.

------- Comment #18 From Michele Schiavo 2008-06-08 22:08:47 0000 ------- 
also for me, 

uname -a
Linux uzzmaster 2.6.25-gentoo-r4 #1 SMP PREEMPT Thu Jun 5 01:02:02 CEST 2008
x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux
uzzmaster ~ # emerge vmware-modules vmware-workstation -pv

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] app-emulation/vmware-modules-1.0.0.20  0 kB [1]
[ebuild   Rf  ] app-emulation/vmware-workstation-6.0.4.93057  0 kB [1]

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB
Fetch Restriction: 1 package
Portage tree and overlays:
 [0] /usr/portage
 [1] /usr/local/portage
uzzmaster ~ #

------- Comment #19 From Stefan Behte 2008-06-10 14:58:52 0000 ------- 
Ouch. I just forgot to change the PORTAGE_OVERLAY. :(
1.0.6 works without any problems here.

------- Comment #20 From Mike Auty 2008-06-14 23:35:46 0000 ------- 
Ok,

The tree now contains:

vmware-player-1.0.7.91707
vmware-player-2.0.4.93057
vmware-server-1.0.6.91891
vmware-server-console-1.0.6.91891
vmware-workstation-5.5.7.91707
vmware-workstation-6.0.4.93057

Please let me know if there are any problems or any further work needed for
this bug...  5:)

------- Comment #21 From Mike Auty 2008-06-14 23:39:32 0000 ------- 
Sorry, also whilst it occurs to me, vmware-workstation-4.5.3 was published in
2005 and was the last update for the 4.5 series (it's downloadable but no
longer updated by vmware).

Given the two or three recent security bugs with vmware packages, it should
really be masked for removal due to lack of upstream support.  Unfortunately, I
have the feeling there may still be people using it (because it's a pay for
product and they may not want to pay to upgrade).

So what's the recommendation for it?  Mask it or not?

------- Comment #22 From Carsten Lohrke 2008-06-15 08:58:12 0000 ------- 
(In reply to comment #21)
> So what's the recommendation for it?  Mask it or not?

Should have been done so,long, long ago.

------- Comment #23 From Robert Buchholz 2008-06-15 09:27:39 0000 ------- 
VMware Workstation 4.5.3.19414-r7 is already marked vulnerable by several
GLSAs, and since it is not slotted, users are therefore advised to upgrade. I
agree it should also be removed from the tree in a timely fashion, either by
just "cvs rm" or prior mask, at your choice.

As for VMware 5.5, it will reach end of life at Nov. 09 2008. We should be
prepared to have the 6.0 branch stable prior to that, so people can start
upgrading their installations rather sooner than later.

------- Comment #24 From Robert Buchholz 2008-06-15 09:52:06 0000 ------- 
Arches, please test and mark stable:
=app-emulation/vmware-workstation-5.5.7.91707
=app-emulation/vmware-player-1.0.7.91707
=app-emulation/vmware-server-1.0.6.91891
=app-emulation/vmware-server-console-1.0.6.91891

Target keywords : "amd64 release x86"

------- Comment #25 From Christian Faulhammer 2008-06-16 21:52:28 0000 ------- 
x86 stable

------- Comment #26 From Richard Freeman 2008-06-17 23:54:49 0000 ------- 
amd64 stable for the vmware-server and vmware-server-console packages (alas - I
don't have a workstation license to test)

------- Comment #27 From Markus Meier 2008-06-22 11:43:01 0000 ------- 
amd64 stable, all arches done.

------- Comment #28 From Jesse Adelman 2008-07-02 21:04:59 0000 ------- 
Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just
sync'd, and it is still masked ~x86. Thanks!

In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:

[...]
KEYWORDS="-* amd64 ~x86"
[...]

------- Comment #29 From Christian Hoffmann 2008-07-02 21:31:33 0000 ------- 
(In reply to comment #28)
> Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just
> sync'd, and it is still masked ~x86. Thanks!
> 
> In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:
> 
> [...]
> KEYWORDS="-* amd64 ~x86"
> [...]
Looks like you are right, I'm seeing the same in my (up-to-date) cvs checkout.
Re-CC'ing x86, adjusting whiteboard.

$ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild
vmware-player/vmware-player-1.0.7.91707.ebuild
vmware-server/vmware-server-1.0.6.91891.ebuild
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild 
vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64
~x86"
vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-*
amd64 ~x86"

Don't see a ChangeLog entry either, so apparently something has gone wrong when
committing.

x86, please re-check. :)

------- Comment #30 From Christian Faulhammer 2008-07-03 12:33:57 0000 ------- 
This must have slipped me...fixed

------- Comment #31 From Christian Hoffmann 2008-07-03 13:40:53 0000 ------- 
(In reply to comment #30)
> This must have slipped me...fixed
vmware-workstation looks right now, all the other listed packages are still
~x86, at least in my cvs checkout at the time of writing this. x86 back to the
fun... =)

$ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild \
    vmware-server-console/vmware-server-console-1.0.6.91891.ebuild \
    vmware-player/vmware-player-1.0.7.91707.ebuild \
    vmware-server/vmware-server-1.0.6.91891.ebuild \
    vmware-server-console/vmware-server-console-1.0.6.91891.ebuild
vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64
x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-*
amd64 ~x86"
vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-*
amd64 ~x86"

Jesse Adelman, thanks for reporting this initially, btw. ;)

------- Comment #32 From Christian Faulhammer 2008-07-03 13:53:56 0000 ------- 
Could you please stop hassling my machine with your negative karma?  You mess
up all my commits!  x86 done...I hope. :)