CVE-2014-4200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4200): vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive. CVE-2014-4199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4199): vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.
Maintainer(s), maybe this should be against the app-emulation/vmware-tools package?
(In reply to Sean Amoss from comment #1) > Maintainer(s), maybe this should be against the app-emulation/vmware-tools > package? Indeed. Now we "just" need to correlate the version numbers somehow... :/
# Andreas K. Huettel <dilfridge@gentoo.org> (19 Sep 2015) # Masked for security reasons, bugs 516044, 552644 # Keeping it in the tree for now for users who cannot upgrade # (commercial product, separate licenses for major versions) =app-emulation/vmware-workstation-9* =app-emulation/vmware-modules-271* Andreas, how long would you like to leave 9* in the tree?
The mask for vmware 9.x is still there, but we need a mask for vmware-tools. @dilfridge, am I missing anything here with the versioning?
Because we had to take action for bug 621910, app-emulation/vmware-tools is now PMASKED again, also addressing this vulnerability.
(In reply to Thomas Deutschmann from comment #5) @ Thomas: as you know already: VMware Products have been removed from Main Portage Tree during Nov-2017. Further development has been relegated to [vmware] Overlay. Situation as of today, 30-Nov-2017: Workstation : stable in [vmware] = 12.5.8 / released = 14.0.0 : Bug 634770 Player : stable in [vmware] = 12.5.8 / released = 14.0.0 : Bug 639162 Modules : stable in [vmware] = 308.5.8 / released = 329.0.0 : Bug 634862 Tools : stable in [vmware] = 10.1.6 / released = 10.1.15 : Bug 634854 I think this Bug can be CLOSED.
package has been removed from the tree.