Quoting from the vmware advisory: 1. Summary VMware Hosted products and patches for ESX and ESXi resolve multiple security issues. A flaw in the CPU hardware emulation may allow for a privilege escalation on virtual machine guest operating systems. In addition a directory traversal issue is resolved. We have: app-emulation/vmware-server-1.0.7 app-emulation/vmware-workstation-5.5.8 app-emulation/vmware-workstation-6.0.5 app-emulation/vmware-player-1.0.8 app-emulation/vmware-player-2.0.5
Ok, now in the tree are: app-emulation/vmware-player-1.0.9.126128 app-emulation/vmware-player-2.5.0.118166 app-emulation/vmware-workstation-5.5.9.126128 app-emulation/vmware-workstation-6.5.0.118166 app-emulation/vmware-server-1.0.8.126538 app-emulation/vmware-server-console-1.0.8.126538 Ready for testing/stabilization/masking as necessary...
Arches, please test and stabilize: =app-emulation/vmware-player-1.0.9.126128 =app-emulation/vmware-workstation-5.5.9.126128 =app-emulation/vmware-server-1.0.8.126538 =app-emulation/vmware-server-console-1.0.8.126538 Target keywords: amd64 x86
*PING*
this version (at least of the player) wants app-emulation/vmware-modules-1.0.0.15-r1, which won't build with with 2.6.26 kernels...
*** Bug 249632 has been marked as a duplicate of this bug. ***
Echoing comment #4 for vmware-server as well, amd64...pulling in app-emulation/vmware-modules-1.0.0.15-r1 which doesn't compile on 2.6.26.
This also resolves VMSA-2008-0019 / CVE-2008-4917.
CVE-2008-4917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4917): Unspecified vulnerability in VMware Workstation 5.5.8 and earlier, and 6.0.5 and earlier 6.x versions; VMware Player 1.0.8 and earlier, and 2.0.5 and earlier 2.x versions; VMware Server 1.0.9 and earlier; VMware ESXi 3.5; and VMware ESX 3.0.2 through 3.5 allows guest OS users to have an unknown impact by sending the virtual hardware a request that triggers an arbitrary physical-memory write operation, leading to memory corruption.
gentoo-sources-2.6.27-r7 is now stable on amd64 and x86. Please test and report.
I've now wrestled with vmware-modules-1.0.0.15 and -r2 should work with the latest (2.6.28) kernel and older, so please have a go at restabilizing these... Also, we've had vmware-workstation-6.5.1.126130 and vmware-player-2.5.1.126130 builds in the tree for a while now (although be aware of bug 254148).
amd64/x86 should all be done...
Thanks Markus, but it looks like you stabled the old versions (from bug 236167) rather than this one. Sorry, but we could do with the following stabilized please: vmware-modules-1.0.0.15-r2 (done) vmware-modules-1.0.0.23 vmware-player-1.0.9.126128 vmware-player-2.5.1.126130 vmware-workstation-5.5.9.126128 vmware-workstation-6.5.1.126130 vmware-server-1.0.8.126538 vmware-server-console-1.0.8.126538 Sorry about that... 5:(
(In reply to comment #12) > Thanks Markus, but it looks like you stabled the old versions (from bug 236167) > rather than this one. Sorry, but we could do with the following stabilized > please: > > vmware-modules-1.0.0.15-r2 (done) > vmware-modules-1.0.0.23 > vmware-player-1.0.9.126128 > vmware-player-2.5.1.126130 > vmware-workstation-5.5.9.126128 > vmware-workstation-6.5.1.126130 > vmware-server-1.0.8.126538 > vmware-server-console-1.0.8.126538 > > Sorry about that... 5:( should all be done now.
GLSA together with 224637,245941,213548
CVE-2008-4916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4916): Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.
@security: and what's the status here?
A GLSA still needs to be written. As the security team is short-handed, and the backlog queue is large, this has not happened yet.
This issue was resolved and addressed in GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml by GLSA coordinator Sean Amoss (ackle).