Updates to VMware Workstation, VMware Player, VMware ACE, VMware
Server, VMware ESX address information disclosure, privilege
escalation and other security issues.
2. Relevant releases
VMware Workstation 6.0.4 and earlier,
VMware Workstation 5.5.7 and earlier,
VMware Player 2.0.4 and earlier,
VMware Player 1.0.7 and earlier,
VMware ACE 2.0.4 and earlier,
VMware ACE 1.0.6 and earlier,
VMware Server 1.0.6 and earlier,
Will attach the full advisory in a moment. It was sent to full-disclosure, and has not been published on webpage yet.
Created attachment 164107 [details]
Linux vulnerabilities are the following:
d. Update to Freetype
FreeType 2.3.6 resolves an integer overflow vulnerability and other
vulnerabilities that can allow malicious users to run arbitrary code
or might cause a denial-of-service after reading a maliciously
crafted file. This release updates FreeType to 2.3.7.
The Common Vulnerabilities and Exposures Project (cve.mitre.com)
has assigned the names CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808 to the issues resolved in Freetype 2.3.6.
This only affects ~arch:
e. Update to Cairo
Cairo 1.4.12 resolves an integer overflow vulnerability that can
allow malicious users to run arbitrary code or might cause a
denial-of-service after reading a maliciously crafted PNG file.
This release updates Cairo to 1.4.14.
The Common Vulnerabilities and Exposures (cve.mitre.com) has
assigned the name CVE-2007-5503 to this issue.
Please also note the following (quote):
NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,
and VMware ACE 1.x will reach end of general support
2008-11-09. Customers should plan to upgrade to the latest
version of their respective products.
We should proceed the 6.x versions for stable soon.
I'm not going to be able to get to these this weekend. I'm busy and also having connection difficulties. I expect the bumps for vmware-server and player to be relatively easy if someone wants to have a go at them. Please ensure to test with a 2.6.25 kernel if you're going to give it a go. Hopefully I'll be able to get to these towards the tail end of next week...
*** Bug 236693 has been marked as a duplicate of this bug. ***
*** Bug 236805 has been marked as a duplicate of this bug. ***
*** Bug 237558 has been marked as a duplicate of this bug. ***
*** Bug 237631 has been marked as a duplicate of this bug. ***
Created attachment 165397 [details]
VMware Server 1.0.7 ebuild
I have tested this on amd64 but not on x86. It really should have additional testing on both amd64 and on x86.
Mike, what's the progress with the ebuilds?
Still working on them. I've set aside a couple of hours to get 2.6.25 back on my development machine so I can get all these rebuilt, tested and into the overlay. Hopefully by this evening is the best I can offer...
Ok, the following bumps are now in the overlay for testing:
Please test them out, particularly vmware-workstation-5.5.8 (I've only tested the corresponding vmware-player, version 22.214.171.124000). If everything goes ok, I'll shuffle them over to the main tree in the coming week...
Are there any issues left?!
*** Bug 239085 has been marked as a duplicate of this bug. ***
Ok, versions now in the main tree are:
Vmware-workstation 6.0.5 is now build 118166, 109488 is no longer available. It appears to be a 'bundle', whatever that is, but at 381 MB I've not downloaded it yet, and will wait to see what happens in portage.
Jonathan, vmware-workstation 6.0.5 is at build 109488. You're talking about vmware-workstation 6.5.0, which is indeed at build 118166, but that's not what this bug is about. If you're interested in vmware-workstation-6.5, please see bug 232230. Thanks... 5:)
*** Bug 241150 has been marked as a duplicate of this bug. ***
CVE-2008-4279 from 241150 will be handled here, too (same versions have to go stable).
Mike, are these versions tested enough and ready for going into stable?
I'd really like to have a version in tree that resolves those (severe) security issues!
Craig, comment 14 shows these ebuilds have been in the tree since the 30th of September. Stabilizing is up to the appropriate arch/security teams.
vmware-player-126.96.36.199488 fixes bug 233784, I confirm it is stable for x86
Sorry for the delay in adding arches.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
(In reply to comment #19)
> Craig, comment 14 shows these ebuilds have been in the tree since the 30th of
> September. Stabilizing is up to the appropriate arch/security teams.
I read that, but wasn't sure if all issues (usual VMWare Kernel version/module problems) were fixed, that's why I asked you as the maintainer first and did not add arches directly.
Hiya Craig, yep those issues still exist. The older modules don't work with 2.6.26+ and the newer ones don't work with 2.6.27+. Luckily 2.6.25 is still the stable gentoo-sources. I'm currently trying to get the latest versions of vmware working...
Stable gentoo sources is now 2.6.26-r3. Current stable vmware modules will no longer install against stable gentoo sources.
Ok, vwmare-modules-188.8.131.52-r2 just hit the tree, but this bug has been superceded by bug 245941. I'm not sure whether this just gets closed, or what...
amd64/x86 stable, all arches done.
@security: "all arches done" was january 2009. can we close this one too?
glsa request filed.
This issue was resolved and addressed in
GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml
by GLSA coordinator Sean Amoss (ackle).