Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 193196 - app-emulation/vmware-{server,workstation,player} - multiple vulnerabilities (CVE-2007-{4496|4497|5617|5618|5619})
Summary: app-emulation/vmware-{server,workstation,player} - multiple vulnerabilities (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: A2 [glsa]
Keywords:
: 193203 194670 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-09-20 15:46 UTC by Stefan Behte (RETIRED)
Modified: 2008-04-16 14:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 15:46:28 UTC
Hi, we need new ebuilds for 
app-emulation/vmware-server-1.0.4
and
app-emulation/vmware-workstation-6.0.1

older packages should then be masked AFAIK.

See http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0356.html

You can get the newest version here:
http://www.vmware.com/download/server/ -> http://download3.vmware.com/software/vmserver/VMware-server-1.0.4-56528.tar.gz
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 15:47:58 UTC
Changed from "Applications" to "Ebuilds" because that fits better.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-20 16:00:52 UTC
thanks for the report. Vmware, please bump ase necessary.
Comment 3 Mike Auty gentoo-dev 2007-09-20 16:21:45 UTC
vmware-workstation-6.0.1
vmware-player-2.0.1
vmware-server-1.0.4

have all been bumped in the vmware overlay, but are not yet fully tested.  Vmware-server seems to work OK, vmware-workstation is behaving itself, but requires not only the 200 Mb download to get working, but another 67 Mb because they changed the modules again, meaning we've had to revert to using their sources.

How urgent a bump requirement is this?  Do we have time to make sure the ebuilds aren't badly broken before they go into the main tree?
Comment 4 Mike Auty gentoo-dev 2007-09-20 16:24:19 UTC
Please also note, I've got no idea what's going on with workstation 4.5 or 5.5, I don't even know if they've had security releases made by upstream...
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 16:31:58 UTC
I successfully just cp'ed app-emulation/vmware-server/vmware-server-1.0.3.44356.ebuild to vmware-server-1.0.4.56528.ebuild, did an "ebuild vmware-server-1.0.4.56528.ebuild digest" and ebuild vmware-server-1.0.4.56528.ebuild merge".
It emerged without problems, vmware-config.pl worked, and I could start a guest system inside vmware.

Though, I haven't checked all the files in app-emulation/vmware-server/files/general, so I don't know, if all of them are still neccessary.

"Updated versions of all supported hosted products and all ESX 2x
products and patches for ESX 30x address critical security updates. "
-> seems to me that they don't support and/or patch the old versions anymore.


>How urgent a bump requirement is this?  Do we have time to make sure the
>ebuilds aren't badly broken before they go into the main tree?

From the advisory: "This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) "

Well, depending on your point of view you might regard this as worst-case scenario or not. I'd prefer to have the ebuilds properly tested, but I'm not the person to decide that.


BTW: Is there documentation on ebuilds? Things like what the patches are for? 

Comment 6 Mike Auty gentoo-dev 2007-09-20 16:35:08 UTC
*** Bug 193203 has been marked as a duplicate of this bug. ***
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 16:41:07 UTC
The advisory says under "I. Arbitrary code execution and denial of service vulnerabilities":
"VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455)"

I only found this on their page (where you can download 6.0.1 eval):
http://www.vmware.com/download/ws/eval.html

Maybe it's just an upgrade for buyers?!
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 16:56:37 UTC
(In reply to comment #3)
> How urgent a bump requirement is this?  Do we have time to make sure the
> ebuilds aren't badly broken before they go into the main tree?

There have been minor-version updates for our stable versions, so you can bump to them, too.

You can go:

vmware-workstation
  stable   5.5.4.44386 -> 5.5.5.56455
  unstable 6.0.0.45731 -> 6.0.1.55017
  is 4.5.3.19414 affected?

vmware-player
  stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
  unstable 2.0.0.45731 -> 2.0.1.55017

vMware-server
  unstable 1.0.3.44356 ->  1.0.4.56528
Comment 9 Mike Auty gentoo-dev 2007-09-20 17:27:53 UTC
Status:

vmware-workstation
  stable   5.5.4.44386 -> 5.5.5.56455
  unstable 6.0.0.45731 -> 6.0.1.55017 (TESTING - IN OVERLAY)
  is 4.5.3.19414 affected?

vmware-player
  stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
  unstable 2.0.0.45731 -> 2.0.1.55017 (TESTING - IN OVERLAY)

vmware-server
  unstable 1.0.3.44356 (MASKED) ->  1.0.4.56528  (FIXED - IN TREE)

vmware-ESX packages
  Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug 172556.  We don't have anyone else that we know of with ESX kit to test/digest for us.

I'll work on getting workstation-6 and player-2 into the main tree after a bit more testing.  As to the stable ebuilds, they tend to be handled by Chris G and I'd appreciate if he could look after bumping those please?  Let me know if their module numbers mismatch for any reason...
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-20 18:12:05 UTC
(In reply to comment #9)
> vmware-ESX packages
>   Maintained by mattm, who's possibly RETIRED/AWOL given bug 143232 and bug
> 172556.  We don't have anyone else that we know of with ESX kit to test/digest
> for us.

None of this matters, as the only ESX packages are client-side.  ESX is its own OS, so it doesn't run on Gentoo.

> I'd appreciate if he could look after bumping those please?  Let me know if
> their module numbers mismatch for any reason...

I'll get on these today.
Comment 11 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-20 22:41:41 UTC
(In reply to comment #9)
> Status:
> 
> vmware-workstation
>   stable   5.5.4.44386 -> 5.5.5.56455
(TESTING - IN OVERLAY)

>   is 4.5.3.19414 affected?

No clue.  I would suspect that it is affected.  I can mask the package, if you like, as VMware no longer provides updates for this series.

> vmware-player
>   stable   1.0.2.29634 / 1.0.3.34682-r1 -> 1.0.5.56455
(TESTING - IN OVERLAY)

I'm about to throw these new versions into the tree.  I really need someone to check out VMware Player, since I have Workstation installed and can't install both.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 22:49:13 UTC
Just attach the ebuild and I'll test it, I don't have layman installed and have no clue how to use it.
Comment 13 Mike Auty gentoo-dev 2007-09-20 22:51:15 UTC
30 second guide to layman:

emerge layman

layman -a vmware

vi /etc/make.conf
  Add in line "source /usr/portage/local/layman/make.conf"

emerge vmware-player...  5;)
Comment 14 Mike Auty gentoo-dev 2007-09-20 22:54:42 UTC
Sorry for the spam, I forgot to mention that failing that, the ebuild's at:

http://overlays.gentoo.org/proj/vmware/browser/trunk/app-emulation/vmware-player/vmware-player-1.0.5.56455.ebuild
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 23:23:16 UTC
While waiting for a reply I figured out layman by myself which was indeed done in 30 seconds.

VMware-player-1.0.5-56455 worked just fine after adding it to ~x86 keywords.
I just noted a "scanelf" and the "libpng12.so.0" line (see below):

[...]
 * checking vmware-libcrypto.so.0.9.7l.tar.bz2 ;-) ...                                                                                                                [ ok ]
>>> Unpacking source...
>>> Unpacking VMware-player-1.0.5-56455.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work
>>> Unpacking vmware-any-any-update113.tar.gz to /var/tmp/portage/app-emulation/vmware-player-1.0.5.56455/work
 * Fallback PaX marking -m
scanelf: Nothing to scan !?
 * Applying various patches (bugfixes/updates) ...
[...]

It installed cleanly.

and the "usual" message when runing vmplayer:
/opt/vmware/player/lib/bin/vmplayer: /opt/vmware/player/lib/lib/libpng12.so.0/libpng12.so.0: no version information available (required by /usr/lib/libcairo.so.2)

A guest system ran without problems.

For app-emulation/vmware-player-2.0.1.55017 I also had to unmask app-emulation/vmware-modules-1.0.0.17.

Both of them compiled without problems (but vmware-player spit out the same scanelf warning as mentioned above). A guest ran without problems. When starting vmplayer it says: "/usr/share/themes/Clearlooks/gtk-2.0/gtkrc:62: error: unexpected identifier `animation', expected character `}'", but everything in the GUI looks ok for me.

It took some time to download, because my ISP Arcor has problems delivering the bandwith I'm paying for; and unfortunately my PC is not lightning fast.

BTW: Tested with kernel 2.6.21-gentoo-r3

Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-20 23:27:58 UTC
The sections in gtkrc look like this:
It's the "animation" line vmware-player complained about. This seems to be a cosmetic error, as vmware-player works. I just wanted to give full info:

style "clearlooks-default"
{
 [...]

  engine "clearlooks"
  {
    #scrollbar_color   = "#76acde"
    menubarstyle      = 2       # 0 = flat, 1 = sunken, 2 = flat gradient
    animation         = FALSE
    style             = CLASSIC
    radius            = 3.0
  }
}
Comment 17 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-21 00:53:01 UTC
OK.  I bumped the vmware-workstation and vmware-player (5.5.5 and 1.0.5) versions in the tree.

Thanks for testing, Craig.  =]
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2007-09-21 01:04:47 UTC
You're welcome!

Oh, and thanks to Mike for the 30-second-guide (which I didn't need anymore, but it was kind of you, thanks) :)

What about the things about scanelf, gtkrc and libpng that I mentioned? Are those all just cosmetic?
Comment 19 Mike Auty gentoo-dev 2007-09-21 07:29:40 UTC
Yep, those are all pretty much cosmetic.  The scanelf stuff is for the selinux/pax people.  The gtkrc issue seems not to affect the working of the vmware-packages, and finally the libpng stuff isn't a problem unless you have a very particular version of cairo in which case the whole thing won't start, but it affects a very few number of systems these days...

Thanks for pointing them out though, it kinda means everything's working exactly the way it always has...  5;)
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2007-09-21 07:58:39 UTC
Arches, please test and mark stable:
  app-emulation/vmware-workstation-5.5.5.56455
  app-emulation/vmware-player-1.0.5.56455
Targets are: "amd64 x86"

Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-23 12:30:30 UTC
x86 stable
Comment 22 Mike Auty gentoo-dev 2007-10-04 07:45:49 UTC
*** Bug 194670 has been marked as a duplicate of this bug. ***
Comment 23 Mike Doty (RETIRED) gentoo-dev 2007-10-11 07:16:19 UTC
vmware-workstation marked stable on amd64.  someone else will have to do vmware-player.
Comment 24 Mike Auty gentoo-dev 2007-10-20 20:47:06 UTC
I bumped to vmware-workstation-6.0.1 and vmware-player-2.0.1 in the tree (both were ~ARCH before and are still so now) a while ago, and have just now masked off workstation-6.0.0 and vmware-player-2.0.0.

Just by way of summary, it appears that we're waiting for stabilization of vmware-player-1.0.5 on amd64, and then masking off the old/vulnerable stable versions of workstation and player...  5:)
Comment 25 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 23:06:58 UTC
OK.  I marked 1.0.5 stable on amd64...
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 01:24:40 UTC
GLSA request filed.
Comment 27 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 21:15:32 UTC
GLSA 200711-23
Comment 28 Martin Smith 2008-04-16 13:25:54 UTC
Hello all,

I run:
[ebuild   R   ] app-emulation/vmware-player-1.0.6.80404

And glsa-check is still whining at me about being vulnerable to this 200711-23 GLSA. Any advice?
Comment 29 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-16 14:27:22 UTC
I just updated the GLSA to include the newer versions as unaffected.

Thanks for letting us know.

-- /var/www/glsamaker.gentoo.org/data/2007/11/23.xml	2007-11-18 21:03:41.000000000 +0000
+++ -	2008-04-16 14:18:02.596726000 +0000
@@ -17,11 +17,13 @@
   <affected>
     <package name="app-emulation/vmware-workstation" auto="yes" arch="*">
       <unaffected range="rge">5.5.5.56455</unaffected>
+      <unaffected range="rge">5.5.6.80404</unaffected>
       <unaffected range="ge">6.0.1.55017</unaffected>
       <vulnerable range="lt">6.0.1.55017</vulnerable>
     </package>
     <package name="app-emulation/vmware-player" auto="yes" arch="*">
       <unaffected range="rge">1.0.5.56455</unaffected>
+      <unaffected range="rge">1.0.6.80404</unaffected>
       <unaffected range="ge">2.0.1.55017</unaffected>
       <vulnerable range="lt">2.0.1.55017</vulnerable>
     </package>