Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619398 - app-emulation/vmware-workstation-{9.*, 10.*, 11.*, 12.1.*} : at least hard-mask
Summary: app-emulation/vmware-workstation-{9.*, 10.*, 11.*, 12.1.*} : at least hard-mask
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo VMWare Bug Squashers [disabled]
URL:
Whiteboard:
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2017-05-22 20:00 UTC by Manfred Knick
Modified: 2017-06-25 21:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manfred Knick 2017-05-22 20:00:25 UTC
@ Gentoo VMWare Bug Squashers     vmware@gentoo.org

CC: jstein@gentoo.org


These versions in Main Portage Tree are not only outdated
and not supported by VMware by any means any more,
but endangered to severe CVE's.


Please note

Bug 612804 (CVE-2017-4901, VMSA-2017-0005) - app-emulation/vmware-workstation: out-of-bounds memory access (VMSA-2017-0005)

Bug 614666 (CVE-2017-4902, CVE-2017-4903, CVE-2017-4904, CVE-2017-4905, VMSA-2017-0006) - app-emulation/vmware-workstation: multiple vulnerabilities

Bug 616958 - app-emulation/vmware-workstation-12.5.6 version bump


Same applies to corresponding packages.

[-P-] [M ] app-emulation/vmware-workstation-9.0.3.1410761:0
[-P-] [  ] app-emulation/vmware-workstation-10.0.6.2700073-r1:0
[-P-] [  ] app-emulation/vmware-workstation-11.1.2.2780323-r4:0
[-P-] [  ] app-emulation/vmware-workstation-12.1.0.3272444-r2:0

[-P-] [M ] app-emulation/vmware-modules-271.3-r1:0
[-P-] [  ] app-emulation/vmware-modules-279.6:0
[-P-] [  ] app-emulation/vmware-modules-308.1.0:0

[-P-] [  ] app-emulation/vmware-tools-9.2.3.1031769:0
Comment 1 Jonas Stein gentoo-dev 2017-05-23 07:22:40 UTC
The security team is already active in the case of the CVEs.
Comment 2 Manfred Knick 2017-05-23 08:32:35 UTC
(In reply to Jonas Stein from comment #1)
> The security team is already active in the case of the CVEs.

Unfortunately, since two months, I observe a kind of "deadlock"
between
   The Security Team
and
   Gentoo VMWare Bug Squashers.

( C.f. "Forward" of PM : Thomas Deutschmann <whissi@gentoo.org> ).
Comment 3 Manfred Knick 2017-05-23 08:41:31 UTC
(In reply to Jonas Stein from comment #1)
> The security team is already active in the case of the CVEs.

Security has no need to act
because _none_ of the packages currently in Portage Main Tree
has ever been stabilized:
all of them are masked, either as "~" or even "M".

As far as I have learned from Thomas,
it's the duty of Gentoo VMware team to catch up to versions
which are supported by VMware.

# equery list -p vmware-workstation vmware-modules vmware-tools

[-P-] [M~] app-emulation/vmware-workstation-9.0.3.1410761:0
[-P-] [ ~] app-emulation/vmware-workstation-10.0.6.2700073-r1:0
[-P-] [ ~] app-emulation/vmware-workstation-11.1.2.2780323-r4:0
[-P-] [ ~] app-emulation/vmware-workstation-12.1.0.3272444-r2:0

[-P-] [M~] app-emulation/vmware-modules-271.3-r1:0
[-P-] [ ~] app-emulation/vmware-modules-279.6:0
[-P-] [ ~] app-emulation/vmware-modules-308.1.0:0

[-P-] [ ~] app-emulation/vmware-tools-9.2.3.1031769:0

_All_ of the above are _not_ supported any more (c.f. Description).
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-05-23 09:39:36 UTC
Well, we finally have to take actions. But before we start the removal process let me ask you Manfred, if you are willing to help maintaining VMware in Gentoo through proxy maintainers project, see https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started for details.
Comment 5 Manfred Knick 2017-05-24 18:49:34 UTC
Perhaps, this survey might turn out helpful ?


Andreas' current entry in   /usr/portage/profiles/package.mask :

# Andreas K. Huettel <dilfridge@gentoo.org> (19 Sep 2015)
# Masked for security reasons, bugs 516044, 552644
# Keeping it in the tree for now for users who cannot upgrade
# (commercial product, separate licenses for major versions)
=app-emulation/vmware-workstation-9*
=app-emulation/vmware-modules-271*


My current entries in     /etc/portage/package.mask :

# VMware CVE; Bug fixes; security updates
# BUGs 612804 , 614666 ; 616958
# hard-mask affected entries from Main Portage Repository
<app-emulation/vmware-modules-308.5.6:0::gentoo
<app-emulation/vmware-player-12.5.6.0:0::gentoo
<app-emulation/vmware-tools-10.1.6.0:0::gentoo
<app-emulation/vmware-workstation-12.5.6.0:0::gentoo
# just as a precaution (not in Main Portage Repository yet)
<app-emulation/vmware-vix-1.15.0:0::gentoo


My current entries in     /etc/portage/package.accept_keywords/vm :

=app-emulation/vmware-workstation-12.5.6.5528349:0
=app-emulation/vmware-modules-308.5.6:0
=app-emulation/vmware-tools-10.1.6.5214329:0


RESULT:

# equery list     -F '[$location] [$mask] $cpv:$slot [$repo]' 'vmware-*'

[I-O] [  ] app-emulation/vmware-modules-308.5.6:0 [vmware]
[I-O] [  ] app-emulation/vmware-tools-10.1.6.5214329:0 [vmware]
[I-O] [  ] app-emulation/vmware-workstation-12.5.6.5528349:0 [vmware]

# equery list -p  -F '[$location] [$mask] $cpv:$slot [$repo]' 'vmware-*'

[-P-] [M~] app-emulation/vmware-modules-271.3-r1:0 [gentoo]
[-P-] [M~] app-emulation/vmware-modules-279.6:0 [gentoo]
[-P-] [M~] app-emulation/vmware-modules-308.1.0:0 [gentoo]
[-P-] [M~] app-emulation/vmware-player-12.1.0.3272444-r2:0 [gentoo]
[-P-] [M~] app-emulation/vmware-tools-9.2.3.1031769:0 [gentoo]
[-P-] [M~] app-emulation/vmware-workstation-9.0.3.1410761:0 [gentoo]
[-P-] [M~] app-emulation/vmware-workstation-10.0.6.2700073-r1:0 [gentoo]
[-P-] [M~] app-emulation/vmware-workstation-11.1.2.2780323-r4:0 [gentoo]
[-P-] [M~] app-emulation/vmware-workstation-12.1.0.3272444-r2:0 [gentoo]

# equery list -o  -F '[$location] [$mask] $cpv:$slot [$repo]' 'vmware-*'

[--O] [ ~] app-emulation/vmware-modules-304.2:0 [vmware]
[--O] [ ~] app-emulation/vmware-modules-304.3-r1:0 [vmware]
[--O] [ ~] app-emulation/vmware-modules-304.4:0 [vmware]
[--O] [ ~] app-emulation/vmware-modules-304.4-r1:0 [vmware]
[--O] [ ~] app-emulation/vmware-modules-308.1.1:0 [vmware]
[I-O] [  ] app-emulation/vmware-modules-308.5.6:0 [vmware]
[--O] [ ~] app-emulation/vmware-player-7.1.2.2780323-r1:0 [vmware]
[--O] [ ~] app-emulation/vmware-player-12.1.1.3770994:0 [vmware]
[--O] [ ~] app-emulation/vmware-player-12.5.6.5528349:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-9.6.5.2700073:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-9.9.2.2496824:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-9.9.3.2780323:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-9.9.4.3206955:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-9.9.5.3848939:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-10.0.5.3228253:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-10.0.6.3595377:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-10.0.10.4301679:0 [vmware]
[--O] [ ~] app-emulation/vmware-tools-10.1.5.5055693:0 [vmware]
[I-O] [  ] app-emulation/vmware-tools-10.1.6.5214329:0 [vmware]
[--O] [ ~] app-emulation/vmware-vix-1.11.4.744019:0 [vmware]
[--O] [ ~] app-emulation/vmware-vsphere-cli-4.1.0.254719-r1:0 [vmware]
[--O] [ ~] app-emulation/vmware-workstation-11.1.3.3206955-r3:0 [vmware]
[--O] [ ~] app-emulation/vmware-workstation-11.1.3.3206955-r4:0 [vmware]
[--O] [ ~] app-emulation/vmware-workstation-11.1.4.3848939:0 [vmware]
[--O] [ ~] app-emulation/vmware-workstation-12.1.1.3770994:0 [vmware]
[I-O] [  ] app-emulation/vmware-workstation-12.5.6.5528349:0 [vmware]
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-06-17 09:56:40 UTC
Bug 621910 forced us to take action. Looks like dev-libs/nettle isn't need anymore by the version from the overlay, so masking VMware finally within Gentoo main repository was the easiest solution. See https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=113eb133e4b59e651b03899859edf96869ebdc36
Comment 7 Nikos Chantziaras 2017-06-17 14:27:38 UTC
A side effect of this mask is that people who use the latest vmware from the overlay also get the notice that "masked packages are installed".

Will you remove vmware from portage? That would be the better solution. No package mask required in that case.
Comment 8 Manfred Knick 2017-06-17 16:24:29 UTC
@ Nikos:
Sorry, but I deeply disagree:

!   Such small "ease of use" is not legitimating throwing off light-heartedly
!   VMware completely from official GENTOO Main Repository Tree.

You only add e.g. identical three lines

 =app-emulation/vmware-workstation-12.5.6.5528349:0::vmware
 =app-emulation/vmware-modules-308.5.6:0::vmware
 =app-emulation/vmware-tools-10.1.6.5214329:0::vmware

to /package.accept_keywords as well as to /package.unmask -

   done.


OBSERVATION:   Inconsistent:
   ~ vmware-vix
   ~ vmware-vsphere-cli
(in OVERLAY only).


@ Thomas:
Could you perhaps re-consider "My current entries" in comment #5 ?

In case, please add
   <app-emulation/vmware-vsphere-cli-4.1.0.0:0::gentoo
alike.

Alternatively:
Keep MASK independent of version, but constrained to ::gentoo ?

I think, if anybody adds vmware overlay,
it is well reasonable to expect 
that (s)he should know about implied consequences.


#############################################
My entries in my personal /etc/package.mask :
#############################################

# VMware    CVE; Bug fixes; security updates:
#           hard-mask affected entries
#
#           hard-mask affected entries from Main Portage Repository
#
 <app-emulation/vmware-modules-308.5.6:0::gentoo
 <app-emulation/vmware-player-12.5.6.0:0::gentoo
 <app-emulation/vmware-tools-10.1.6.0:0::gentoo
 <app-emulation/vmware-workstation-12.5.6.0:0::gentoo
#
#           hard-mask affected entries from Gentoo VMware Overlay
#
 <app-emulation/vmware-modules-308.5.6:0::vmware
 <app-emulation/vmware-player-12.5.6.0:0::vmware
 <app-emulation/vmware-tools-10.1.6.0:0::vmware
 <app-emulation/vmware-vix-1.15.0:0::vmware
 app-emulation/vmware-vsphere-cli-4.1.0.0:0::vmware
 <app-emulation/vmware-workstation-12.5.6.0:0::vmware
#

HTH. Thanks.
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-06-18 01:13:33 UTC
No, "::<repo>" notation doesn't exist in a repo's profile. Only in /etc/portage.
You are affected by this, because your overlay is probably a child of Gentoo's repository (which you should *not* change!).

We don't plan to remove VMware from Gentoo's main repository. However, we will start the removal if the overlay team don't come up with a pull request, but give them some time please (deadline for removal is 2017-07-31).

So in the meantime, if you are using VMware within Gentoo, you have to unmask the package. This is wanted. We want your attention.
Comment 10 Evan Teran 2017-06-19 17:14:49 UTC
Have I misread those CVEs or do they only effect vmware-workstation 12.x? If so, why would we hard mask versions 9, 10, 11?

I know that typically, packages focus on the latest version, but given that vmware is a paid commercial product, users don't necessarily want the absolute latest. Personally, I have a license for 11.x and haven't had a compelling reason to pay for the upgrade, and I suspect that many users are in this situation.

Thoughts?
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-06-19 17:28:57 UTC
Previous VMware versions are affected. Upstream doesn't list EOL versions.

And remember: A user can always unmask and/or copy ebuilds to his/her private repository/overlay. But for the main repository we aim to allow only non-vulnerable versions.
Comment 12 Manfred Knick 2017-06-19 18:42:38 UTC
(In reply to Thomas Deutschmann from comment #11)

> ... Upstream doesn't list EOL versions.  ...

As of today:

. . . Workstation { Player | Pro } 12.x                        <--- only !

. . . [ General Availability | End of General Support ]

. . . [ 2015 / 08 / 25       | 2018 / 02 / 25         ]

( last line entry on page 6 )

[ http://www.vmware.com/content/dam/digitalmarketing/vmware/en
        /pdf/support/product-lifecycle-matrix.pdf ]


@ Evan:

  With every very latest minor release,
  VMware invalidates all former versions.


See also:
[ https://www.vmware.com/support/policies.html#lifecyclepolicies ]
Comment 13 Manfred Knick 2017-06-25 21:12:17 UTC
(In reply to Evan Teran from comment #10)

Just for the record:

E.g., c.f. "VMSA-2017-0009"

. . . [ https://www.vmware.com/us/security/advisories/VMSA-2017-0009.html ]

( already obsolete now because of  12.5.7 :
https://bugs.gentoo.org/show_bug.cgi?id=616958#c23 )

Greetings