Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385727 (CVE-2011-3868) - <app-emulation/vmware-{player-3.1.5,workstation-7.1.5}: VMware hosted products address remote code execution vulnerability (CVE-2011-3868)
Summary: <app-emulation/vmware-{player-3.1.5,workstation-7.1.5}: VMware hosted product...
Status: RESOLVED FIXED
Alias: CVE-2011-3868
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.vmware.com/security/adviso...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-05 11:33 UTC by Sean Amoss (RETIRED)
Modified: 2012-09-29 16:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-05 11:33:31 UTC
From VMware advisory at $URL:

1. Summary
Hosted product updates address a remote code execution vulnerability in the way UDF file systems are handled

2. Relevant releases
   VMware Workstation 7.1.4 and earlier
   VMware Player 3.1.4 and earlier
   VMware Fusion 3.1.2 and earlier
      
3. Problem Description
a. UDF file system import remote code execution
A buffer overflow vulnerability is present in the way UDF file systems are handled. This issue could allow for code execution if a user installs from a malicious ISO image that was specially crafted by an attacker.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:07:01 UTC
CVE-2011-3868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3868):
  Buffer overflow in VMware Workstation 7.x before 7.1.5, VMware Player 3.x
  before 3.1.5, VMware Fusion 3.1.x before 3.1.3, and VMware AMS allows remote
  attackers to execute arbitrary code via a crafted UDF filesystem in an ISO
  image.
Comment 2 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-10-08 18:58:11 UTC
VMware Workstation 7.1.5 and Player 3.1.5 are in the tree.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-09 17:30:32 UTC
Does this mean they are ready for stabilization?
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-17 18:53:04 UTC
@maintainer: are the newest versions in the tree ready for stabilization?
Comment 5 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-10-17 19:37:53 UTC
I do not think so.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-10-18 02:38:16 UTC
(In reply to comment #5)
> I do not think so.

Hi, Vadim. How do we proceed? Should we look to mask the vulnerable versions? Or might you have a time line for getting this bumped? Thanks for your help with this.
Comment 7 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-10-18 11:06:07 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > I do not think so.
> 
> Hi, Vadim. How do we proceed? Should we look to mask the vulnerable versions?
> Or might you have a time line for getting this bumped? Thanks for your help
> with this.

As I understood CVE-2011-3868 the vulnerable configurations are 7.x before 7.1.5
I have removed 7.1.4 bunch from the tree. 7.1.5 is in the tree.
They did not mention 6.x. Probably because 6.x is out of support. Because of that there is no bumping for 6. I was thinking to de-stabilize 6 on a ground that it's out of upstream support and require a patch to compile with new kernels. Let me know if I missed something.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-10-18 14:53:27 UTC
(In reply to comment #7)
> I was thinking to de-stabilize 6 on a ground
> that it's out of upstream support and require a patch to compile with new
> kernels. Let me know if I missed something.

That sounds alright, but ideally we'd have no vulnerable versions in the tree. If wks 6.x (and 2.x player) go to ~arch, can we then remove them and leave wks 7.1.5 and player 3.1.5 as ~arch? That would be fine with us if that is fine with you.
Comment 9 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-10-19 16:57:29 UTC
(In reply to comment #8)
> (In reply to comment #7)

Do you consider wks 6.5.5, player 2.5.5 vulnerable?
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-10-19 17:12:32 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > (In reply to comment #7)
> 
> Do you consider wks 6.5.5, player 2.5.5 vulnerable?

I assume they are, and IMO their advisory is ambiguous, possibly because of end of support. I've asked them to clarify...
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-10-20 23:39:31 UTC
(In reply to comment #10)
> 
> I assume they are, and IMO their advisory is ambiguous, possibly because of end
> of support. I've asked them to clarify...

Here is the response from the VMware security team.

> Workstation 6.x or Player 2.x are no longer in support and therefore they
> are not in the advisory.
> 
> We have not determined if these versions are affected.

Fair enough, I think we need to assume they are vulnerable. Is wks 7 and player 3 as ~arch an acceptable approach? Thanks!
Comment 12 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-10-21 00:05:52 UTC
Well, then let's mask 6 bunch and leave 7 as is.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-11-05 04:58:35 UTC
(In reply to comment #12)
> Well, then let's mask 6 bunch and leave 7 as is.

Are we ready to mask wks 6.x and player 3.x? Would you mind doing that? Thank you.
Comment 14 Vadim Kuznetsov (RETIRED) gentoo-dev 2011-11-05 18:00:40 UTC
# Vadim Kuznetsov <vadimk@gentoo.org> (05 Nov 2011)
# Masked for removal in 30 days
# due to end of support (upstream) and
# security issue: bug 385727
<app-emulation/vmware-modules-238.5
<app-emulation/vmware-player-3.1.5
<app-emulation/vmware-workstation-7.1.5
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-11-06 16:32:55 UTC
Thanks, Vadim. Added to existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-09-29 16:26:33 UTC
This issue was resolved and addressed in
 GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml
by GLSA coordinator Sean Amoss (ackle).