| Summary: | <app-emulation/vmware-{workstation,player}-*.5.2.156735, <app-emulation/vmware-server-1.0.9-156507: Execution of arbitrary code (CVE-2009-{0909,0910,1244}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gengor, jaak, vmware+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.vmware.com/security/advisories/ | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 264948 | ||
| Bug Blocks: | |||
|
Description
Alex Legler (RETIRED)
2009-04-06 19:08:01 UTC
Ok, the necessary ebuilds are now in the tree (vmware-server is only up to 1.0.8 in the tree. 2.0.0 existed in the vmware overlay, but has been updated to 2.0.1 there). Over to you guys... (In reply to comment #1) > Over to you guys... *passes the ball again* Arches, please test and mark stable: =app-emulation/vmware-workstation-6.5.2.156735 =app-emulation/vmware-player-2.5.2.156735 Target keywords : "amd64 x86" CVE-2009-1244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1244): Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916. Mike, the in-tree vmware-server is vulnerable to that third new issue. Please bump to "1.0.9 build 156507 or later". Reference: http://www.vmware.com/security/advisories/VMSA-2009-0006.html Yep, I spotted it, and I've got versions ready to get tested in the overlay, but I need to sort out the modules first (since the ones we're using don't compile under the latest kernel and hopefully the ones that come with 1.0.9 will). I estimate I should have something workable in the overlay if not the tree by the weekend. I'll keep you updated, but please don't let it hold back the workstation bits and pieces... (In reply to comment #2) > =app-emulation/vmware-workstation-6.5.2.156735 I cannot download that version from the VMWare pages...the only version available for me is 2.5.1. For the player I need a KVM-disabled kernel. After the next reboot... Do you mean 2.5.2 rather than 2.5.1? (In reply to comment #7) > Do you mean 2.5.2 rather than 2.5.1? Sorry I meant: Version 6.5.1 | 126130 Try http://www.vmware.com/download/download.do?downloadGroup=WKST-652-LX, which should be the top link from http://www.vmware.com/download/ws/... -workstation and -player stable on x86 *** Bug 269163 has been marked as a duplicate of this bug. *** Ok, Gengor very kindly tested out vmware-server-1.0.9 for me, and says it works with the existing modules, so I've committed it (and vmware-server-console-1.0.9) to the tree. I moved vmware-server-2 in at the same time, since it's been sitting around for too long. Please only bother stabilizing 1.0.9, 2.0.1 needs much more time to work out the kinks... *Ping to arches* x86 stable amd64 stable, all arches done. GLSA together with all the other bugs... amd64 ping, you missed vmware-server-1.0.9-156507. amd64 stable, all arches done. Thanks everyone, this will be added to an already pending glsa. There is no <app-emulation/vmware-workstation-5.5.9.126128 nor <app-emulation/vmware-server-1.0.9.156507 in portage any more. I'm not sure about vmware-player. This issue was resolved and addressed in GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml by GLSA coordinator Sean Amoss (ackle). |