Summary: | <app-emulation/open-vm-tools-12.1.0: local privilege escalation | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | cfuga, floppym | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://www.vmware.com/security/advisories/VMSA-2022-0024.html | ||||||
Whiteboard: | B1 [glsa+] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 871927 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
John Helmert III
2022-08-23 20:51:15 UTC
FYI, upstream released the version in the mean time and a simple ebuild renaming did build in a test VM (no runtime testing from my side though). (In reply to Nils Freydank from comment #1) > FYI, upstream released the version in the mean time and a simple ebuild > renaming did build in a test VM (no runtime testing from my side though). Thanks! Could you make a PR? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c61a49faebd143a946a61929cb81fbf8ab2e8f0f commit c61a49faebd143a946a61929cb81fbf8ab2e8f0f Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-09-09 15:21:51 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-09-09 15:22:54 +0000 app-emulation/open-vm-tools: add 12.1.0 Bug: https://bugs.gentoo.org/866227 Signed-off-by: Mike Gilbert <floppym@gentoo.org> app-emulation/open-vm-tools/Manifest | 1 + .../open-vm-tools/open-vm-tools-12.1.0.ebuild | 149 +++++++++++++++++++++ 2 files changed, 150 insertions(+) Thanks! Please stabilize when ready Created attachment 812878 [details, diff] CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and 12.0.5_p19716617 There's also available this backported patch, from https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205-Properly-check-authorization-on-incoming-guestOps-re.patch It cleanly applies to both current versions in Gentoo tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617 (In reply to CFuga from comment #5) > Created attachment 812878 [details, diff] [details, diff] > CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and > 12.0.5_p19716617 > > There's also available this backported patch, from > > https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205- > Properly-check-authorization-on-incoming-guestOps-re.patch > > It cleanly applies to both current versions in Gentoo > tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617 Hm? Is the patch not included in 12.1.0? Or maybe there's some reason we shouldn't stabilize it? (In reply to John Helmert III from comment #6) > (In reply to CFuga from comment #5) > > Created attachment 812878 [details, diff] [details, diff] [details, diff] > > CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and > > 12.0.5_p19716617 > > > > There's also available this backported patch, from > > > > https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205- > > Properly-check-authorization-on-incoming-guestOps-re.patch > > > > It cleanly applies to both current versions in Gentoo > > tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617 > > Hm? Is the patch not included in 12.1.0? Or maybe there's some reason we > shouldn't stabilize it? The patch is included in 12.1.0. I suggest to apply it to the other versions available in Gentoo tree, unless you're planning to push to stable the new version and delete the previous ebuilds. I am not going to backport anything. I am waiting a short time before stabilizing 12.1.0. Please cleanup GLSA request filed, ping for cleanup. Cleanup done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe60e20c56d0864d2ca0dc1449c82174df59e541 commit fe60e20c56d0864d2ca0dc1449c82174df59e541 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:23:04 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:16 +0000 [ GLSA 202210-27 ] open-vm-tools: Local Privilege Escalation Bug: https://bugs.gentoo.org/866227 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-27.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) GLSA released, all done! |