Hi, we need new ebuilds for app-emulation/vmware-server-1.0.4 and app-emulation/vmware-workstation-6.0.1 older packages should then be masked AFAIK. See http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0356.html You can get the newest version here: http://www.vmware.com/download/server/ -> http://download3.vmware.com/software/vmserver/VMware-server-1.0.4-56528.tar.gz
Changed from "Applications" to "Ebuilds" because that fits better.
thanks for the report. Vmware, please bump ase necessary.
vmware-workstation-6.0.1 vmware-player-2.0.1 vmware-server-1.0.4 have all been bumped in the vmware overlay, but are not yet fully tested. Vmware-server seems to work OK, vmware-workstation is behaving itself, but requires not only the 200 Mb download to get working, but another 67 Mb because they changed the modules again, meaning we've had to revert to using their sources. How urgent a bump requirement is this? Do we have time to make sure the ebuilds aren't badly broken before they go into the main tree?
Please also note, I've got no idea what's going on with workstation 4.5 or 5.5, I don't even know if they've had security releases made by upstream...
I successfully just cp'ed app-emulation/vmware-server/vmware-server-1.0.3.44356.ebuild to vmware-server-1.0.4.56528.ebuild, did an "ebuild vmware-server-1.0.4.56528.ebuild digest" and ebuild vmware-server-1.0.4.56528.ebuild merge". It emerged without problems, vmware-config.pl worked, and I could start a guest system inside vmware. Though, I haven't checked all the files in app-emulation/vmware-server/files/general, so I don't know, if all of them are still neccessary. "Updated versions of all supported hosted products and all ESX 2x products and patches for ESX 30x address critical security updates. " -> seems to me that they don't support and/or patch the old versions anymore. >How urgent a bump requirement is this? Do we have time to make sure the >ebuilds aren't badly broken before they go into the main tree? From the advisory: "This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) " Well, depending on your point of view you might regard this as worst-case scenario or not. I'd prefer to have the ebuilds properly tested, but I'm not the person to decide that. BTW: Is there documentation on ebuilds? Things like what the patches are for?
*** Bug 193203 has been marked as a duplicate of this bug. ***
The advisory says under "I. Arbitrary code execution and denial of service vulnerabilities": "VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455)" I only found this on their page (where you can download 6.0.1 eval): http://www.vmware.com/download/ws/eval.html Maybe it's just an upgrade for buyers?!
(In reply to comment #3) > How urgent a bump requirement is this? Do we have time to make sure the > ebuilds aren't badly broken before they go into the main tree? There have been minor-version updates for our stable versions, so you can bump to them, too. You can go: vmware-workstation stable 5.5.4.44386 -> 5.5.5.56455 unstable 6.0.0.45731 -> 6.0.1.55017 is 4.5.3.19414 affected? vmware-player stable 1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455 unstable 2.0.0.45731 -> 2.0.1.55017 vMware-server unstable 1.0.3.44356 -> 1.0.4.56528
Status: vmware-workstation stable 5.5.4.44386 -> 5.5.5.56455 unstable 6.0.0.45731 -> 6.0.1.55017 (TESTING - IN OVERLAY) is 4.5.3.19414 affected? vmware-player stable 1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455 unstable 2.0.0.45731 -> 2.0.1.55017 (TESTING - IN OVERLAY) vmware-server unstable 1.0.3.44356 (MASKED) -> 1.0.4.56528 (FIXED - IN TREE) vmware-ESX packages Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug 172556. We don't have anyone else that we know of with ESX kit to test/digest for us. I'll work on getting workstation-6 and player-2 into the main tree after a bit more testing. As to the stable ebuilds, they tend to be handled by Chris G and I'd appreciate if he could look after bumping those please? Let me know if their module numbers mismatch for any reason...
(In reply to comment #9) > vmware-ESX packages > Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug > 172556. We don't have anyone else that we know of with ESX kit to test/digest > for us. None of this matters, as the only ESX packages are client-side. ESX is its own OS, so it doesn't run on Gentoo. > I'd appreciate if he could look after bumping those please? Let me know if > their module numbers mismatch for any reason... I'll get on these today.
(In reply to comment #9) > Status: > > vmware-workstation > stable 5.5.4.44386 -> 5.5.5.56455 (TESTING - IN OVERLAY) > is 4.5.3.19414 affected? No clue. I would suspect that it is affected. I can mask the package, if you like, as VMware no longer provides updates for this series. > vmware-player > stable 1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455 (TESTING - IN OVERLAY) I'm about to throw these new versions into the tree. I really need someone to check out VMware Player, since I have Workstation installed and can't install both.
Just attach the ebuild and I'll test it, I don't have layman installed and have no clue how to use it.
30 second guide to layman: emerge layman layman -a vmware vi /etc/make.conf Add in line "source /usr/portage/local/layman/make.conf" emerge vmware-player... 5;)
Sorry for the spam, I forgot to mention that failing that, the ebuild's at: http://overlays.gentoo.org/proj/vmware/browser/trunk/app-emulation/vmware-player/vmware-player-1.0.5.56455.ebuild
While waiting for a reply I figured out layman by myself which was indeed done in 30 seconds. VMware-player-1.0.5-56455 worked just fine after adding it to ~x86 keywords. I just noted a "scanelf" and the "libpng12.so.0" line (see below): [...] * checking vmware-libcrypto.so.0.9.7l.tar.bz2 ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking VMware-player-1.0.5-56455.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work >>> Unpacking vmware-any-any-update113.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work * Fallback PaX marking -m scanelf: Nothing to scan !? * Applying various patches (bugfixes/updates) ... [...] It installed cleanly. and the "usual" message when runing vmplayer: /opt/vmware/player/lib/bin/vmplayer: /opt/vmware/player/lib/lib/libpng12.so.0/libpng12.so.0: no version information available (required by /usr/lib/libcairo.so.2) A guest system ran without problems. For app-emulation/vmware-player-2.0.1.55017 I also had to unmask app-emulation/vmware-modules-1.0.0.17. Both of them compiled without problems (but vmware-player spit out the same scanelf warning as mentioned above). A guest ran without problems. When starting vmplayer it says: "/usr/share/themes/Clearlooks/gtk-2.0/gtkrc:62: error: unexpected identifier `animation', expected character `}'", but everything in the GUI looks ok for me. It took some time to download, because my ISP Arcor has problems delivering the bandwith I'm paying for; and unfortunately my PC is not lightning fast. BTW: Tested with kernel 2.6.21-gentoo-r3
The sections in gtkrc look like this: It's the "animation" line vmware-player complained about. This seems to be a cosmetic error, as vmware-player works. I just wanted to give full info: style "clearlooks-default" { [...] engine "clearlooks" { #scrollbar_color = "#76acde" menubarstyle = 2 # 0 = flat, 1 = sunken, 2 = flat gradient animation = FALSE style = CLASSIC radius = 3.0 } }
OK. I bumped the vmware-workstation and vmware-player (5.5.5 and 1.0.5) versions in the tree. Thanks for testing, Craig. =]
You're welcome! Oh, and thanks to Mike for the 30-second-guide (which I didn't need anymore, but it was kind of you, thanks) :) What about the things about scanelf, gtkrc and libpng that I mentioned? Are those all just cosmetic?
Yep, those are all pretty much cosmetic. The scanelf stuff is for the selinux/pax people. The gtkrc issue seems not to affect the working of the vmware-packages, and finally the libpng stuff isn't a problem unless you have a very particular version of cairo in which case the whole thing won't start, but it affects a very few number of systems these days... Thanks for pointing them out though, it kinda means everything's working exactly the way it always has... 5;)
Arches, please test and mark stable: app-emulation/vmware-workstation-5.5.5.56455 app-emulation/vmware-player-1.0.5.56455 Targets are: "amd64 x86"
x86 stable
*** Bug 194670 has been marked as a duplicate of this bug. ***
vmware-workstation marked stable on amd64. someone else will have to do vmware-player.
I bumped to vmware-workstation-6.0.1 and vmware-player-2.0.1 in the tree (both were ~ARCH before and are still so now) a while ago, and have just now masked off workstation-6.0.0 and vmware-player-2.0.0. Just by way of summary, it appears that we're waiting for stabilization of vmware-player-1.0.5 on amd64, and then masking off the old/vulnerable stable versions of workstation and player... 5:)
OK. I marked 1.0.5 stable on amd64...
GLSA request filed.
GLSA 200711-23
Hello all, I run: [ebuild R ] app-emulation/vmware-player-1.0.6.80404 And glsa-check is still whining at me about being vulnerable to this 200711-23 GLSA. Any advice?
I just updated the GLSA to include the newer versions as unaffected. Thanks for letting us know. -- /var/www/glsamaker.gentoo.org/data/2007/11/23.xml 2007-11-18 21:03:41.000000000 +0000 +++ - 2008-04-16 14:18:02.596726000 +0000 @@ -17,11 +17,13 @@ <affected> <package name="app-emulation/vmware-workstation" auto="yes" arch="*"> <unaffected range="rge">5.5.5.56455</unaffected> + <unaffected range="rge">5.5.6.80404</unaffected> <unaffected range="ge">6.0.1.55017</unaffected> <vulnerable range="lt">6.0.1.55017</vulnerable> </package> <package name="app-emulation/vmware-player" auto="yes" arch="*"> <unaffected range="rge">1.0.5.56455</unaffected> + <unaffected range="rge">1.0.6.80404</unaffected> <unaffected range="ge">2.0.1.55017</unaffected> <vulnerable range="lt">2.0.1.55017</vulnerable> </package>
