From VMSA-2008-0014 1. Summary Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 2. Relevant releases VMware Workstation 6.0.4 and earlier, VMware Workstation 5.5.7 and earlier, VMware Player 2.0.4 and earlier, VMware Player 1.0.7 and earlier, VMware ACE 2.0.4 and earlier, VMware ACE 1.0.6 and earlier, VMware Server 1.0.6 and earlier, Will attach the full advisory in a moment. It was sent to full-disclosure, and has not been published on webpage yet.
Created attachment 164107 [details] vmsa-2008-14-full.txt
Linux vulnerabilities are the following: d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. This only affects ~arch: e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. Please also note the following (quote): NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. We should proceed the 6.x versions for stable soon.
I'm not going to be able to get to these this weekend. I'm busy and also having connection difficulties. I expect the bumps for vmware-server and player to be relatively easy if someone wants to have a go at them. Please ensure to test with a 2.6.25 kernel if you're going to give it a go. Hopefully I'll be able to get to these towards the tail end of next week...
*** Bug 236693 has been marked as a duplicate of this bug. ***
*** Bug 236805 has been marked as a duplicate of this bug. ***
*** Bug 237558 has been marked as a duplicate of this bug. ***
*** Bug 237631 has been marked as a duplicate of this bug. ***
Created attachment 165397 [details] VMware Server 1.0.7 ebuild I have tested this on amd64 but not on x86. It really should have additional testing on both amd64 and on x86.
Mike, what's the progress with the ebuilds?
Still working on them. I've set aside a couple of hours to get 2.6.25 back on my development machine so I can get all these rebuilt, tested and into the overlay. Hopefully by this evening is the best I can offer...
Ok, the following bumps are now in the overlay for testing: vmware-player-1.0.8.108000 vmware-player-2.0.5.109488 vmware-server-1.0.7.108231 vmware-server-console-1.0.7.108231 vmware-workstation-5.5.8.108000 vmware-workstation-6.0.5.109488 vmware-modules-1.0.0.22 Please test them out, particularly vmware-workstation-5.5.8 (I've only tested the corresponding vmware-player, version 1.0.8.108000). If everything goes ok, I'll shuffle them over to the main tree in the coming week...
Are there any issues left?!
*** Bug 239085 has been marked as a duplicate of this bug. ***
Ok, versions now in the main tree are: vmware-workstation-5.5.8.108000 vmware-workstation-6.0.5.109488 vmware-player-1.0.8.108000 vmware-player-2.0.5.109488 vmware-server-1.0.7.108231 vmware-server-console-1.0.7.108231
Vmware-workstation 6.0.5 is now build 118166, 109488 is no longer available. It appears to be a 'bundle', whatever that is, but at 381 MB I've not downloaded it yet, and will wait to see what happens in portage.
Jonathan, vmware-workstation 6.0.5 is at build 109488. You're talking about vmware-workstation 6.5.0, which is indeed at build 118166, but that's not what this bug is about. If you're interested in vmware-workstation-6.5, please see bug 232230. Thanks... 5:)
*** Bug 241150 has been marked as a duplicate of this bug. ***
CVE-2008-4279 from 241150 will be handled here, too (same versions have to go stable). Mike, are these versions tested enough and ready for going into stable? I'd really like to have a version in tree that resolves those (severe) security issues!
Craig, comment 14 shows these ebuilds have been in the tree since the 30th of September. Stabilizing is up to the appropriate arch/security teams.
vmware-player-2.0.5.109488 fixes bug 233784, I confirm it is stable for x86
Sorry for the delay in adding arches. Arches, please test and mark stable: =app-emulation/vmware-workstation-5.5.8.108000 =app-emulation/vmware-player-1.0.8.108000 =app-emulation/vmware-server-1.0.7.108231 =app-emulation/vmware-server-console-1.0.7.108231 Target keywords : "amd64 x86"
(In reply to comment #19) > Craig, comment 14 shows these ebuilds have been in the tree since the 30th of > September. Stabilizing is up to the appropriate arch/security teams. > I read that, but wasn't sure if all issues (usual VMWare Kernel version/module problems) were fixed, that's why I asked you as the maintainer first and did not add arches directly.
Hiya Craig, yep those issues still exist. The older modules don't work with 2.6.26+ and the newer ones don't work with 2.6.27+. Luckily 2.6.25 is still the stable gentoo-sources. I'm currently trying to get the latest versions of vmware working...
Stable gentoo sources is now 2.6.26-r3. Current stable vmware modules will no longer install against stable gentoo sources.
Ok, vwmare-modules-1.0.0.15-r2 just hit the tree, but this bug has been superceded by bug 245941. I'm not sure whether this just gets closed, or what...
amd64/x86 stable, all arches done.
@security: "all arches done" was january 2009. can we close this one too?
glsa request filed.
This issue was resolved and addressed in GLSA 201209-25 at http://security.gentoo.org/glsa/glsa-201209-25.xml by GLSA coordinator Sean Amoss (ackle).
