Summary: | app-emulation/vmware-workstation | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel Ahlberg (RETIRED) <aliz> |
Component: | New packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | critical | ||
Priority: | Highest | ||
Version: | 1.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Daniel Ahlberg (RETIRED)
2003-07-06 14:02:35 UTC
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=111 Patch not yet released. This is a per-user setting; so adding a warning to the ebuild and sending an advisory would be the best option? 4.0.1.5289 is in portage, please send a GLSA and close this This is a new vulnerability... but I figured I would add it here since this bug is not resolved... From: VMware <vmware-security-alert@vmware.com> To: bugtraq@securityfocus.com Subject: Re: VMware GSX Server 2.5.1 / Workstation 4.0 (for Linux systems) vulnerability Date: 2 Aug 2003 00:33:41 -0000 In-Reply-To: <Pine.LNX.4.55.0307231606160.25752@mail.securityfocus.com> Description ----------- The following products have a vulnerability that can allow a user of the host system to start an arbitrary program with root privileges. This was previously reported in this advisory: http://www.securityfocus.com/archive/1/330184 This notice announces an additional release that corrects this vulnerability. This release is called: - VMware Workstation 3.2.1 patch 1 Details/Impact -------------- By manipulating the VMware Workstation environment variables, a program such as a shell session with root privileges could be started when a virtual machine is launched. The user would then have full access to the host. VMware strongly urges customers Workstation (for Linux systems) to upgrade as soon as possible. Customers running any version of Workstation (for Windows operating systems) are not subject to this vulnerability. Solution -------- To correct the vulnerability in VMware Workstation 3.2, VMware released the following: - Workstation 3.2.1 patch 1 Details ----------- VMware Workstation customers, if covered under the VMware Workstation Product Upgrade Policy as described at: http://www.vmware.com/vmwarestore/pricing.html are entitled to download and install this updated version from http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=WKST3- LX-ESD This is available today. Upgrade instructions are at http://www.vmware.com/support/ws3/doc/upgrade_ws.html Notes ----- * VMware wishes to thank Paul Szabo of the University of Sydney for alerting us to this vulnerability. His Web page is at: http://www.maths.usyd.edu.au:8000/u/psz/ * VMware has posted a knowledge base article that describes this problem: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039 vmware 4.0.2 is out |