Summary: | app-emulation/open-vm-tools (CVE-2009-1142, CVE-2009-1143) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | floppym, ikelos |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~1 [wait] CONFIDENTIAL 2009-?? | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-04-02 00:37:17 UTC
Mike, can you confirm if this is still a vulnerability that is present? Details are somewhat sparse as the bug is still not publically released and SUSE still has a restriction on their bug. Regarding CVE-2009-1142, the ChmodChownDirectory function seems to have been removed several years ago; based on the tags, all versions currently in the gentoo repo do not include it. https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 Regarding CVE-2009-1143, I still see realpath() being called, but I am not sure what race conditions might be present. https://github.com/vmware/open-vm-tools/blob/stable-10.0.7/open-vm-tools/hgfsmounter/hgfsmounter.c#L1122 Please see previous comment. This is from 2016 - Can we close this bug? This doesn't seem like an audit bug, but rather a regular securtiy@ bug. Reassigning. I'm not sure what to do here, I can't find any information on these CVEs 13 years later, MITRE only has them marked as reserved. Ping Mike? Both CVEs are public on SuSE's bugzilla. I don't see any reason to keep this bug private. https://bugzilla.suse.com/show_bug.cgi?id=474285 https://bugzilla.suse.com/show_bug.cgi?id=372070 As I mentioned in comment 2, the code relevant to CVE-2009-1142 was removed a long time ago. hgfsmounter was removed from the codebase before version 12.0.0 was tagged, which is relevant for CVE-2009-1143. https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 I have removed all versions older than 12.1.0 today. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cc24260ca8a40bb5deb8bb64ba63e24c77cc3e7 Thank you! We can probably just call this fixed due to age, and because it was ~ in 2011 so unlikely any stable versions ever existed. Would you please give me a clear answer ? which OS have affected ? How can find my Linux is vulnerable or not ? (In reply to Alex from comment #9) If you use the latest stable version available in Gentoo, you should be covered. I cannot speak about other distros. (In reply to Mike Gilbert from comment #10) > (In reply to Alex from comment #9) > > If you use the latest stable version available in Gentoo, you should be > covered. > > I cannot speak about other distros. Does this vulnerability just on Gentoo ? Because we have other distro such as ubuntu that are using open-vm-tools No, it is not Gentoo specific. Per the above comments, it's unlikely that it affects newer versions. Please contact the vendor if you have questions, we can't help with other distros. |