Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 663670

Summary: [stefantalpalaru overlay] app-emulation/vmware-workstation-14.1.5 version bump ["stable" only, excluding "~amd64"]
Product: Gentoo Linux Reporter: Manfred Knick <Manfred.Knick>
Component: Current packagesAssignee: Ștefan Talpalaru <stefantalpalaru>
Status: RESOLVED OBSOLETE    
Severity: normal CC: cam, gentoo, mgorny, orodruinlair, phmagic, realnc, stefantalpalaru
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Manfred Knick 2018-08-15 12:52:30 UTC
[Security-announce] VMSA-2018-0020 VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

[Security-announce] New VMSA-2018-0022 - VMware Workstation and Fusion updates address an out-of-bounds write issue

Both require update of  

     Workstation  14.x    Any    Critical     14.1.3

to
     VMware-Workstation-Full-14.1.3-9474260.x86_64.bundle

VMware Workstation 14.1.3 Pro Release Notes:
https://docs.vmware.com/en/VMware-Workstation-Pro/14/rn/workstation-1413-release-notes.html

Predecessor:  Bug 644946
              ... vmware-workstation-14.1.2 version bump ...
Comment 1 Manfred Knick 2018-08-15 13:38:53 UTC
New ebuild names:

     vmware-workstation-14.1.3.9474260.ebuild

     vmware-modules-329.1.3.ebuild


VMWARE_FUSION_VER="10.1.3_9472307" :

VMware Fusion 10.1.3 Release Notes:
https://docs.vmware.com/en/VMware-Fusion/10/rn/fusion-1013-release-notes.html?src=vmw_so_vex_akjaer_1025


vmware-tools: atm, still pointing (link) to former 10.2.5-8068393 :

http://softwareupdate.vmware.com/cds/vmw-desktop/

http://softwareupdate.vmware.com/cds/vmw-desktop/ws/14.1.3/9474260/linux/packages/vmware-tools-linux-10.2.5-8068393.x86_64.component.tar
Comment 2 Manfred Knick 2018-08-15 13:46:05 UTC
(In reply to Manfred Knick from comment #0)
> Predecessor:  Bug 644946
>               ... vmware-workstation-14.1.2 version bump ...

ATM, I'm successfully running 
[IP-] [  ] sys-kernel/gentoo-sources-4.17.14:4.17.14
together with 
[IP-] [  ] sys-firmware/nvidia-firmware-340.32:0
[IP-] [  ] x11-drivers/nvidia-drivers-396.51:0/396


http://rglinuxtech.com/?p=2381 :

"Kernel – 4.18 Finally Released – OK with latest NVIDIA, and Patched VMware"

   As expected, after changes in -rc7, 
   the latest NVIDIA and (patched) VMware all compile/load OK..    
   Tested with VMware 14.1.2 with the vmmon patch,
   and NVIDIA 390.77 and 396.51.
"
Comment 3 Manfred Knick 2018-08-15 13:56:41 UTC
(In reply to Manfred Knick from comment #2)

>    Tested with VMware 14.1.2 with the vmmon patch,

http://rglinuxtech.com/?p=2322

pointing to

https://github.com/mkubecek/vmware-host-modules/commit/3f2a6c720f68 :

 vmmon: compatibility with eventpoll switch to poll_mask()

Since commit 11c5ad0ec441 ("eventpoll: switch to ->poll_mask") in
v4.18-rc1, eventpoll switched from ->poll() to ->poll_mask(). Rather than
calling the callback directly (which would result in null pointer
dereference), use vfs_poll() wrapper. As this wrapper is only available
since 4.18-rc1 cycle as well, provide a copy to use when building against
older kernels.
Comment 4 Manfred Knick 2018-08-15 14:04:32 UTC
Arch Linux User Repository:

  Package Details: vmware-workstation 14.1.3-1

     https://aur.archlinux.org/packages/vmware-workstation/
Comment 6 Ștefan Talpalaru 2018-08-15 15:44:00 UTC
app-emulation/vmware-workstation-14.1.3.9474260 and app-emulation/vmware-modules-329.1.3 are available in my overlay: https://github.com/stefantalpalaru/gentoo-overlay
Comment 7 Manfred Knick 2018-08-15 17:51:56 UTC
(In reply to Ștefan Talpalaru from comment #6)

CONFIRMATION:  quick test -->  WORKSFORME

Thanks to Stefan for a very quick update!
Comment 8 Fabio Rossi 2018-08-17 11:46:51 UTC
(In reply to Manfred Knick from comment #3)
> (In reply to Manfred Knick from comment #2)
> 
> >    Tested with VMware 14.1.2 with the vmmon patch,
> 
> http://rglinuxtech.com/?p=2322
> 
> pointing to
> 
> https://github.com/mkubecek/vmware-host-modules/commit/3f2a6c720f68 :
> 
>  vmmon: compatibility with eventpoll switch to poll_mask()
> 
> Since commit 11c5ad0ec441 ("eventpoll: switch to ->poll_mask") in
> v4.18-rc1, eventpoll switched from ->poll() to ->poll_mask(). Rather than
> calling the callback directly (which would result in null pointer
> dereference), use vfs_poll() wrapper. As this wrapper is only available
> since 4.18-rc1 cycle as well, provide a copy to use when building against
> older kernels.

Thanks to mkubecek for pointing out the problem! I wanna just say that the patch will be probably needed with stable 4.19 because with current 4.18.0 the offending kernel commit is not included yet
Comment 9 Manfred Knick 2018-09-07 07:20:48 UTC
-------- Weitergeleitete Nachricht --------

Betreff: [Security-announce] Updated VMSA-2018-0017.3 - VMware Tools update addresses an out-of-bounds read vulnerability
Datum: Fri, 7 Sep 2018 01:20:27 +0000
Von: VMware Security Announcements <security-announce@lists.vmware.com>
Antwort an: security@vmware.com
An: security-announce@vmware.com <security-announce@vmware.com>

VMSA-2018-0017.3 2018-09-06
VMware Tools 10.3.0 is is discontinued because of a
functional issue with 10.3.0 in ESXi 6.5, please refer
to KB55796 for more information.

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce
Comment 10 Manfred Knick 2018-09-07 19:43:57 UTC
Correct KB article:

   [ https://kb.vmware.com/s/article/57796 ]

ONLY vSphere ESXi 6.5 hosts are affected;
not our vmware-workstation ebuild.
Comment 11 Manfred Knick 2018-09-13 10:10:46 UTC
(In reply to Manfred Knick from comment #10)
>    [ https://kb.vmware.com/s/article/57796 ]
UPDATE:

   "... VMware recommends upgrading to VMware Tools 10.3.2 ..."   <--- !

   "VMware Tools 10.3.2 is available from the VMware Downloads page."

pointing to

   Download VMware Tools 10.3.2

   Release-Datum 	2018-09-12

https://my.vmware.com/de/web/vmware/details?downloadGroup=VMTOOLS1032&productId=742


   VMware Tools 10.3.2 Release Notes

   Zuletzt aktualisiert 12.09.2018

https://docs.vmware.com/en/VMware-Tools/10.3/rn/vmware-tools-1032-release-notes.html


This contains the following REMINDER for FreeBSD:

    Compatibility Notes

    Starting with VMware Tools version 10.2.0, Perl script-based VMware Tools installation for FreeBSD has been discontinued. FreeBSD systems are supported only through the open-vm-tools packages directly available from FreeBSD package repositories. FreeBSD packages for open-vm-tools 10.1.0 and later are available from FreeBSD package repositories.

@ Stefan:

   In future versions, please, invalidate USE="vmware-tools-freebsd".
   Thanks in advance!


CONFIRMATION:

   After applying M$ September updtates       and
   installing Tools frem downloaded / mounted ISO,
   first tests with { 7 | 8.1 | 10 (17134–1803) } succeeded.
Comment 12 Cameron 2018-10-02 20:32:46 UTC
(In reply to Ștefan Talpalaru from comment #6)
> app-emulation/vmware-workstation-14.1.3.9474260 and
> app-emulation/vmware-modules-329.1.3 are available in my overlay:
> https://github.com/stefantalpalaru/gentoo-overlay

FYI your ebuilds work out of the box for me for:
VMware-Workstation-Full-15.0.0-10134415.x86_64.bundle
Thanks!
Comment 13 Ștefan Talpalaru 2018-10-02 22:02:51 UTC
Thanks for the heads-up, Cameron. vmware-workstation-15.0.0.10134415 and vmware-modules-330.0.0 are now available in my overlay.

Manfred, I removed the FreeBSD guest tools.
Comment 14 Manfred Knick 2018-11-15 19:08:47 UTC
VMware Security Advisory

Advisory ID: VMSA-2018-0027
Severity:    Critical
Synopsis:    VMware ESXi, Workstation, and Fusion updates address
             uninitialized stack memory usage
Issue date:  2018-11-09
Updated on:  2018-11-09 (Initial Advisory)
CVE number:  CVE-2018-6981, CVE-2018-6982

::  Workstation 14.x    Any    Critical     14.1.4


@ Stefan:

14.x Licenses keep being valid until     2019 / 03 / 26 .

Could you please consider re-providing   vmware-workstation-14.1.4
as well as                               vmware-modules-329.1.4
in your overlay until then?

Thanks
Kind regards
Manfred
Comment 15 Manfred Knick 2018-11-15 19:11:33 UTC
(In reply to Cameron from comment #12)

(In reply to Ștefan Talpalaru from comment #13)

   |-->   Bug 671218 - [vmware overlay] 
          app-emulation/vmware-workstation-15.0 version bump
Comment 16 Manfred Knick 2018-11-15 20:36:17 UTC
# /usr/portage/profiles/package.mask:
# Pacho Ramos <pacho@gentoo.org> (11 Nov 2018)
# Dead for years (#425156) with security issues (#534540).
# Removal in a month.
=x11-libs/gksu-2.0.2-r2
=x11-libs/libgksu-2.0.12-r4

Bug 425156 - x11-libs/gksu: 
             replace with pkexec in application launchers

Bug 534540 - x11-libs/gksu: 
             Improper sanitization of user-supplied input (CVE-2014-2886)

References of 'gksu' in vmware-workstation-14.1.3.9474260.ebuild :

  line 196:
    RDEPEND  x11-libs/gksu

  line 462 ff: esp. 464
    # create symlinks for the various tools

  line 471 ff: esp. 475
    # fix permissions

  line 504 ff: esp. 510
    /etc/vmware/config

@ Stefan:

I get the impression that only elements provided by the package itself
are being used:

   # cd /opt/vmware  &&  ls -h -AlgR | grep gksu

          vmware-gksu
          gksu-run-helper
          libvmware-gksu.so

Removing the RDEPEND_ency in the ebuild,          <----------
un-merging both gksu and libgksu,

   - workstation still starts and works VMs;

   - Edit -> Virtual Network Editor        as well as
   - Help -> Enter Serial number
   ask for root password and open up correctly.
Comment 17 Ștefan Talpalaru 2018-11-16 21:32:33 UTC
I brought back VMware Workstation 14 with vmware-workstation-14.1.4.10722678 and vmware-modules-329.1.4 .
Comment 18 Manfred Knick 2018-11-23 18:11:02 UTC
[Security-announce] VMSA-2018-0030

"VMware Workstation and Fusion updates address an integer overflow issue"

   VMware      Product Running             Replace with/     Mitigation/
   Product     Version on     Severity     Apply patch       Workaround
   ==========  ======= ====== ========     =============     ===========
   Workstation 14.x    Any    Critical     14.1.5                None

[ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6983 ]
Comment 19 Ștefan Talpalaru 2018-11-23 19:41:58 UTC
version bumped
Comment 20 Manfred Knick 2019-02-15 19:42:34 UTC
Very unfortunately,

. . . [vmware-overlay]

had to be been closed down
and was removed from overlays/repositories.xml:

. . . Bug 627666 - vmware: no reply to project status mail

. . . [ https://bugs.gentoo.org/627666#c8 ]


Currently up-to-date and perfectly working versions of vmware-workstation:
c.f.
  - Bug 663670     and
  - Bug 671218


HINT concerning vmware-player:
  - just install above;
  - vmware-player will be included :-)


ATM, further maintenance is continued 
in (experimental) [ stefantalpalaru ] overlay.