Quoting from the vmware advisory:
VMware Hosted products and patches for ESX and ESXi resolve multiple
security issues. A flaw in the CPU hardware emulation may allow for a
privilege escalation on virtual machine guest operating systems. In
addition a directory traversal issue is resolved.
Ok, now in the tree are:
Ready for testing/stabilization/masking as necessary...
Arches, please test and stabilize:
Target keywords: amd64 x86
this version (at least of the player) wants app-emulation/vmware-modules-188.8.131.52-r1, which won't build with with 2.6.26 kernels...
*** Bug 249632 has been marked as a duplicate of this bug. ***
Echoing comment #4 for vmware-server as well, amd64...pulling in app-emulation/vmware-modules-184.108.40.206-r1 which doesn't compile on 2.6.26.
This also resolves VMSA-2008-0019 / CVE-2008-4917.
Unspecified vulnerability in VMware Workstation 5.5.8 and earlier,
and 6.0.5 and earlier 6.x versions; VMware Player 1.0.8 and earlier,
and 2.0.5 and earlier 2.x versions; VMware Server 1.0.9 and earlier;
VMware ESXi 3.5; and VMware ESX 3.0.2 through 3.5 allows guest OS
users to have an unknown impact by sending the virtual hardware a
request that triggers an arbitrary physical-memory write operation,
leading to memory corruption.
gentoo-sources-2.6.27-r7 is now stable on amd64 and x86. Please test and report.
I've now wrestled with vmware-modules-220.127.116.11 and -r2 should work with the latest (2.6.28) kernel and older, so please have a go at restabilizing these...
Also, we've had vmware-workstation-18.104.22.168130 and vmware-player-22.214.171.124130 builds in the tree for a while now (although be aware of bug 254148).
amd64/x86 should all be done...
Thanks Markus, but it looks like you stabled the old versions (from bug 236167) rather than this one. Sorry, but we could do with the following stabilized please:
Sorry about that... 5:(
(In reply to comment #12)
> Thanks Markus, but it looks like you stabled the old versions (from bug 236167)
> rather than this one. Sorry, but we could do with the following stabilized
> vmware-modules-126.96.36.199-r2 (done)
> Sorry about that... 5:(
should all be done now.
GLSA together with 224637,245941,213548
Unspecified vulnerability in a guest virtual device driver in VMware
Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x
versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and
earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1
and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538
and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1;
VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS
users to cause a denial of service (host OS crash) via unknown
@security: and what's the status here?
A GLSA still needs to be written. As the security team is short-handed, and the backlog queue is large, this has not happened yet.
This issue was resolved and addressed in
GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml
by GLSA coordinator Sean Amoss (ackle).