Bug 224637

Comment 1 Robert Buchholz (RETIRED) 2008-06-02 17:28:34 UTC

We need these fixed versions:
Workstation 6.x Linux 6.0.4 build 93057
Player 2.x Linux 2.0.4 build 93057

All others (incl. stable) are not affected.

Comment 2 Stefan Behte (RETIRED) 2008-06-04 17:23:44 UTC

The advisory VMSA-2008-0009 says:
Workstation   6.x       Linux    not affected
Player        2.x       Linux    not affected

Comment 3 Stefan Behte (RETIRED) 2008-06-04 17:31:21 UTC

Oh damn, wait, that was just one of them, sorry!
Also see http://bugs.gentoo.org/show_bug.cgi?id=224861

Comment 4 Mike Auty (RETIRED) 2008-06-04 22:08:29 UTC

Ok,

vmware-player and vmware-workstation have been bumped in the overlay.  I haven't added them to the tree yet, because I'm still working out some kinks in the new modules.  For some reason, vmware decided to bump the module version number, which creates headaches (and a new package vmware-modules-1.0.0.20) for us.  I have yet to investigate what vmware-server-1.0.6 needs, but I'll try and work on that in the next few days.

If I get hit by a bus or people think I'm taking too long or anything, the vmware overlay's where to look for the bumps for this bug...  5:)

Comment 5 Mike Auty (RETIRED) 2008-06-04 22:09:13 UTC

*** Bug 224861 has been marked as a duplicate of this bug. ***

Comment 6 Robert Buchholz (RETIRED) 2008-06-05 07:22:25 UTC

Mike, thanks for preparing testing ebuilds in the overlay. I hope they are recent enough to also take care of the issues mentioned here:
http://www.vmware.com/security/advisories/VMSA-2008-0009.html

Comment 7 Robert Buchholz (RETIRED) 2008-06-05 07:22:39 UTC

*** Bug 224927 has been marked as a duplicate of this bug. ***

Comment 8 Mike Auty (RETIRED) 2008-06-05 08:22:14 UTC

We've got testing ebuilds for:

vmware-player-2.0.4.93057
vmware-workstation-6.0.4.93057

Sounds like we still need:

vmware-server-1.0.6.91891
vmware-player-1.0.7.91707
vmware-workstation-5.5.7.91707

Hopefully I'll get those ready this weekend...

Comment 9 Stefan Behte (RETIRED) 2008-06-05 09:51:01 UTC

That would be cool. Let me know, if you need someone for testing.

Comment 10 Carsten Lohrke (RETIRED) 2008-06-06 01:44:02 UTC

*** Bug 225051 has been marked as a duplicate of this bug. ***

Comment 11 Carsten Lohrke (RETIRED) 2008-06-08 14:47:16 UTC

*** Bug 225343 has been marked as a duplicate of this bug. ***

Comment 12 Mike Auty (RETIRED) 2008-06-08 15:08:46 UTC

Ok,

It turns out the following were easy to bump, and are now in the vmware overlay:

vmware-server-1.0.6.91891
vmware-player-1.0.7.91707
vmware-workstation-5.5.7.91707

They'll probably be quite easy to push into the tree, and should happen in the next couple of days.  The other two should remain in testing in the overlay for the next week.  We need as many eyes as possible testing the following versions to ensure that the new modules are all working ok...

vmware-player-2.0.4.93057
vmware-workstation-6.0.4.93057

Thanks  5:)

sorry, but where's the overlay ?

Comment 14 Mike Auty (RETIRED) 2008-06-08 19:34:05 UTC

You can test it out using layman (emerge layman; layman -a vmware), or you can get it manually from http://overlays.gentoo.org/proj/vmware/

Hope that helps...  5:)  

ah...

I just discover e new world of gentoo....

Thank's

Comment 16 Stefan Behte (RETIRED) 2008-06-08 21:00:43 UTC

Thanks Mike!
Unfortunately, I can't see vmware-server-1.0.6.91891 in the vmware layout, I sync'ed right now. Are you sure it's in there?!

Tested vmware-workstation-6.0.4.93057 and vmware-modules-1.0.0.20 on amd64 with gentoo-sources-2.6.25-r4.  Everything working as expected.

also for me, 

uname -a
Linux uzzmaster 2.6.25-gentoo-r4 #1 SMP PREEMPT Thu Jun 5 01:02:02 CEST 2008 x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux
uzzmaster ~ # emerge vmware-modules vmware-workstation -pv

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] app-emulation/vmware-modules-1.0.0.20  0 kB [1]
[ebuild   Rf  ] app-emulation/vmware-workstation-6.0.4.93057  0 kB [1]

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB
Fetch Restriction: 1 package
Portage tree and overlays:
 [0] /usr/portage
 [1] /usr/local/portage
uzzmaster ~ # 

Comment 19 Stefan Behte (RETIRED) 2008-06-10 14:58:52 UTC

Ouch. I just forgot to change the PORTAGE_OVERLAY. :(
1.0.6 works without any problems here.

Comment 20 Mike Auty (RETIRED) 2008-06-14 23:35:46 UTC

Ok,

The tree now contains:

vmware-player-1.0.7.91707
vmware-player-2.0.4.93057
vmware-server-1.0.6.91891
vmware-server-console-1.0.6.91891
vmware-workstation-5.5.7.91707
vmware-workstation-6.0.4.93057

Please let me know if there are any problems or any further work needed for this bug...  5:)

Comment 21 Mike Auty (RETIRED) 2008-06-14 23:39:32 UTC

Sorry, also whilst it occurs to me, vmware-workstation-4.5.3 was published in 2005 and was the last update for the 4.5 series (it's downloadable but no longer updated by vmware).

Given the two or three recent security bugs with vmware packages, it should really be masked for removal due to lack of upstream support.  Unfortunately, I have the feeling there may still be people using it (because it's a pay for product and they may not want to pay to upgrade).

So what's the recommendation for it?  Mask it or not?

Comment 22 Carsten Lohrke (RETIRED) 2008-06-15 08:58:12 UTC

(In reply to comment #21)
> So what's the recommendation for it?  Mask it or not?

Should have been done so,long, long ago.

Comment 23 Robert Buchholz (RETIRED) 2008-06-15 09:27:39 UTC

VMware Workstation 4.5.3.19414-r7 is already marked vulnerable by several GLSAs, and since it is not slotted, users are therefore advised to upgrade. I agree it should also be removed from the tree in a timely fashion, either by just "cvs rm" or prior mask, at your choice.

As for VMware 5.5, it will reach end of life at Nov. 09 2008. We should be prepared to have the 6.0 branch stable prior to that, so people can start upgrading their installations rather sooner than later.

Comment 24 Robert Buchholz (RETIRED) 2008-06-15 09:52:06 UTC

Arches, please test and mark stable:
=app-emulation/vmware-workstation-5.5.7.91707
=app-emulation/vmware-player-1.0.7.91707
=app-emulation/vmware-server-1.0.6.91891
=app-emulation/vmware-server-console-1.0.6.91891

Target keywords : "amd64 release x86"

Comment 25 Christian Faulhammer (RETIRED) 2008-06-16 21:52:28 UTC

x86 stable

Comment 26 Richard Freeman 2008-06-17 23:54:49 UTC

amd64 stable for the vmware-server and vmware-server-console packages (alas - I don't have a workstation license to test)

Comment 27 Markus Meier 2008-06-22 11:43:01 UTC

amd64 stable, all arches done.

Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just sync'd, and it is still masked ~x86. Thanks!

In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:

[...]
KEYWORDS="-* amd64 ~x86"
[...]

Comment 29 Christian Hoffmann (RETIRED) 2008-07-02 21:31:33 UTC

(In reply to comment #28)
> Re Comment #25: Ah, sorry, but is 5.5.7.91707 really marked stable? Just
> sync'd, and it is still masked ~x86. Thanks!
> 
> In ../vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:
> 
> [...]
> KEYWORDS="-* amd64 ~x86"
> [...]
Looks like you are right, I'm seeing the same in my (up-to-date) cvs checkout. Re-CC'ing x86, adjusting whiteboard.

$ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild vmware-player/vmware-player-1.0.7.91707.ebuild vmware-server/vmware-server-1.0.6.91891.ebuild vmware-server-console/vmware-server-console-1.0.6.91891.ebuild 
vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"

Don't see a ChangeLog entry either, so apparently something has gone wrong when committing.

x86, please re-check. :)

Comment 30 Christian Faulhammer (RETIRED) 2008-07-03 12:33:57 UTC

This must have slipped me...fixed

Comment 31 Christian Hoffmann (RETIRED) 2008-07-03 13:40:53 UTC

(In reply to comment #30)
> This must have slipped me...fixed
vmware-workstation looks right now, all the other listed packages are still ~x86, at least in my cvs checkout at the time of writing this. x86 back to the fun... =)

$ grep KEYW vmware-workstation/vmware-workstation-5.5.7.91707.ebuild \
    vmware-server-console/vmware-server-console-1.0.6.91891.ebuild \
    vmware-player/vmware-player-1.0.7.91707.ebuild \
    vmware-server/vmware-server-1.0.6.91891.ebuild \
    vmware-server-console/vmware-server-console-1.0.6.91891.ebuild
vmware-workstation/vmware-workstation-5.5.7.91707.ebuild:KEYWORDS="-* amd64 x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-player/vmware-player-1.0.7.91707.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server/vmware-server-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"
vmware-server-console/vmware-server-console-1.0.6.91891.ebuild:KEYWORDS="-* amd64 ~x86"

Jesse Adelman, thanks for reporting this initially, btw. ;)

Comment 32 Christian Faulhammer (RETIRED) 2008-07-03 13:53:56 UTC

Could you please stop hassling my machine with your negative karma?  You mess
up all my commits!  x86 done...I hope. :)

Comment 33 Andreas K. Hüttel 2010-07-14 21:03:25 UTC

@security- another one open since 2008 (with "all arches done")

Comment 34 Stefan Behte (RETIRED) 2010-08-01 13:43:23 UTC

A glsa request was already filed.

Comment 35 GLSAMaker/CVETool Bot 2012-09-29 16:26:14 UTC

This issue was resolved and addressed in
 GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml
by GLSA coordinator Sean Amoss (ackle).