Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264577 (CVE-2009-1142, CVE-2009-1143) - app-emulation/open-vm-tools (CVE-2009-1142, CVE-2009-1143)
Summary: app-emulation/open-vm-tools (CVE-2009-1142, CVE-2009-1143)
Status: RESOLVED FIXED
Alias: CVE-2009-1142, CVE-2009-1143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [wait] CONFIDENTIAL 2009-??
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-02 00:37 UTC by Robert Buchholz (RETIRED)
Modified: 2022-10-22 04:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 00:37:17 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Thomas Biege reported the following flaws:

CVE-2009-1142
If vmware-user-suid-wrapper is setuid root and the function ChmodChownDirectory() (depends on define TOGGLE_VMBLOCK) is enabled it seems a local user can use links in /tmp to chown root:root arbitrary dirs and even chmod to 777.


CVE-2009-1143
mount.vmhgfs/hgfsmounter is dereferencing symlinks in the mount target (mountPoint) using "realpath()", not considering race conditions. This can be exploited to mount given shares to arbitrary targets.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 12:13:22 UTC
Mike, can you confirm if this is still a vulnerability that is present?  Details are somewhat sparse as the bug is still not publically released and SUSE still has a restriction on their bug.
Comment 2 Mike Gilbert gentoo-dev 2016-11-20 16:00:28 UTC
Regarding CVE-2009-1142, the ChmodChownDirectory function seems to have been removed several years ago; based on the tags, all versions currently in the gentoo repo do not include it.

https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7


Regarding CVE-2009-1143, I still see realpath() being called, but I am not sure what race conditions might be present.

https://github.com/vmware/open-vm-tools/blob/stable-10.0.7/open-vm-tools/hgfsmounter/hgfsmounter.c#L1122
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-12-07 12:59:09 UTC
Please see previous comment.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 02:59:34 UTC
This is from 2016 - Can we close this bug?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 19:28:21 UTC
This doesn't seem like an audit bug, but rather a regular securtiy@ bug. Reassigning.

I'm not sure what to do here, I can't find any information on these CVEs 13 years later, MITRE only has them marked as reserved.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 02:18:06 UTC
Ping Mike?
Comment 7 Mike Gilbert gentoo-dev 2022-10-22 02:52:41 UTC
Both CVEs are public on SuSE's bugzilla. I don't see any reason to keep this bug private.

https://bugzilla.suse.com/show_bug.cgi?id=474285

https://bugzilla.suse.com/show_bug.cgi?id=372070

As I mentioned in comment 2, the code relevant to CVE-2009-1142 was removed a long time ago.

hgfsmounter was removed from the codebase before version 12.0.0 was tagged, which is relevant for CVE-2009-1143.

https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9

I have removed all versions older than 12.1.0 today.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cc24260ca8a40bb5deb8bb64ba63e24c77cc3e7
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 04:14:13 UTC
Thank you! We can probably just call this fixed due to age, and because it was ~ in 2011 so unlikely any stable versions ever existed.