Assignee: @ Gentoo Security CC: @ Gentoo VMWare Bug Squashers CC: @ Thomas Deutschmann <whissi@gentoo.org> Upgrade to version 12.5.5 necessary; all former versions affected; no workaround. Pre-decessor: Bug 612804 [ https://bugs.gentoo.org/show_bug.cgi?id=612804 ] Same procedure ... Please, don't lose sight of [ https://bugs.gentoo.org/show_bug.cgi?id=612804#c11 ] Ebuilds needed: - app-emulation/vmware-modules-308.5.5.ebuild - app-emulation/vmware-workstation-12.5.5.5234757.ebuild Download: [ https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0 ] Release-Notes, including descriptions: [ http://pubs.vmware.com/Release_Notes/en/workstation/12pro/workstation-1255-release-notes.html ] : <cite> What's New This release of VMware Workstation Pro is a free upgrade for all VMware Workstation 12 Pro users. It contains bug fixes and security updates. Important Fixes This release of VMware Workstation Pro addresses the following issues: VMware Workstation Pro has a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues might allow a guest virtual machine to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues. The VMware Workstation Pro XHCI driver has uninitialized memory usage. This issue might allow a guest virtual machine to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4904 to this issue. VMware Workstation Pro has uninitialized memory usage. This issue might lead to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4905 to this issue. </cite> Reproducible: Always
Thanks for the report. Marking as trivial because no stable ebuild affected. VMSA-2017-0006 is about Pwn2Own 2017 reported VM escape.
(In reply to Thomas Deutschmann from comment #1) > Thanks for the report. My pleasure. Quick test (Upgrade VMware Tools inside a Win7 VM) succeeded.
(In reply to Manfred Knick from comment #0) > Please, don't lose sight of [https://bugs.gentoo.org/show_bug.cgi?id=612804#c11] Also [https://bugs.gentoo.org/show_bug.cgi?id=612804#c2] still holds true. @ Fabio: ... app-emulation/vmware-tools/vmware-tools-9.9.5.3848939.ebuild seems still appropriate again? Thanks.
To address bug 621910 we had to PMASK currently unmaintained VMware packages within the Gentoo repository.
VMware was removed from the Gentoo repository [1]. Closing as obsolete (package was never stable, i.e. no removal GLSA required). [1] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2d54401ad16fe676b80bb5618a569ebe02636d5