Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626432 (CVE-2015-5191, VMSA-2017-0013) - <app-emulation/open-vm-tools-10.1.10: local privilege escalation
Summary: <app-emulation/open-vm-tools-10.1.10: local privilege escalation
Status: RESOLVED FIXED
Alias: CVE-2015-5191, VMSA-2017-0013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q3/209
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-28 12:37 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-08-08 17:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-28 12:37:54 UTC
From URL:

Open VMware Tools (CVE-2015-5191) contains multiple file system races in libDeployPkg, related to the use of hard-coded 
paths under /tmp.
Successful exploitation may result in a local privilege escalation. The impact of this vulnerability is low for 
distributions which have enabled PrivateTmp for the affected service.
Fixes/References
--------------
9.10.x – https://github.com/vmware/open-vm-tools/commit/c1304ce8bfd9c0c33999e496bf7049d5c3d45821
10.0.x - https://github.com/vmware/open-vm-tools/commit/b3068b04880eda4ca3e13f2d34fb8ce336ad1a4f
10.1.x - https://github.com/vmware/open-vm-tools/commit/22e58289f71232310d30cf162b83b5151a937bac
Comment 1 D'juan McDonald (domhnall) 2017-08-08 16:49:08 UTC
Upstream: https://www.vmware.com/security/advisories/VMSA-2017-0013.html
Comment 2 Mike Gilbert gentoo-dev 2017-08-08 17:02:41 UTC
open-vm-tools-10.1.10 has been added to the gentoo repo, and all previous versions have been removed.

This package has no stable keywords.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-08 17:18:52 UTC
(In reply to Mike Gilbert from comment #2)
> open-vm-tools-10.1.10 has been added to the gentoo repo, and all previous
> versions have been removed.
> 
> This package has no stable keywords.

Thanks, CVE assigned, noglsa, closing