VMware Workstation 6.5.2 and earlier, Player 2.5.2 and earlier & ACE 2.5.2 and earlier are susceptible to multiple vulnerabilities because of a bundled copy of libpng and apache.
Vulnerability details follow:
Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.
Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer."
The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read.
Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.
The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
Update to comment 1; the Apache CVEs are only relevant to VMWare ACE on Windows.
Vadim, could you please bump vmware-workstation & vmware-server to the required new versions so they can be fast-tracked to stable please?
I've added to the tree:
I get :
Calculating dependencies ... done!
[uninstall ] app-emulation/vmware-player-188.8.131.52735-r1
[blocks b ] >=app-emulation/vmware-modules-184.108.40.206 (">=app-emulation/vmware-modules-220.127.116.11" is blocking app-emulation/vmware-player-18.104.22.168735-r1)
[ebuild U ] app-emulation/vmware-player-22.214.171.124404 [126.96.36.199735-r1] 98,707 kB
[ebuild U ] app-emulation/vmware-modules-188.8.131.52 [184.108.40.206] 478 kB
[blocks B ] >=app-emulation/vmware-modules-220.127.116.11 (">=app-emulation/vmware-modules-18.104.22.168" is blocking app-emulation/vmware-player-22.214.171.124735-r1)
Total: 2 packages (2 upgrades, 1 uninstall), Size of downloads: 99,185 kB
Conflict: 1 block
Would you like to merge these packages? [Yes/No]
>>> Verifying ebuild manifests
!!! A file listed in the Manifest could not be found: /usr/portage/app-emulation/vmware-player/files/126.96.36.199404/vmware-player-extras.py.patch
(In reply to comment #3)
> >>> Verifying ebuild manifests
> !!! A file listed in the Manifest could not be found:
> darn, I do not know how it happened, I mean files in changelog, cvs add commands in bash history...
Anyway sorry about that, I recommited folder and two patches.
(In reply to comment #2)
> I've added to the tree:
Arches, please test and mark stable. Target keywords: "amd64 x86"
*** Bug 280455 has been marked as a duplicate of this bug. ***
app-emulation/vmware-player-188.8.131.52404 tested fine on amd64. tanderson asked to commit when finished with server.
I've updated vmware-server ebuild, so server will use system libpng12.so.0.
amd64 stable, all arches done.
added to pending glsa.
(In reply to comment #9)
> I've updated vmware-server ebuild, so server will use system libpng12.so.0.
The same should be applied to other vmware packages such as vmware-workstation that suffers the same problem.
This issue was resolved and addressed in
GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml
by GLSA coordinator Sean Amoss (ackle).