Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626432 (CVE-2015-5191, VMSA-2017-0013) - <app-emulation/open-vm-tools-10.1.10: local privilege escalation
Summary: <app-emulation/open-vm-tools-10.1.10: local privilege escalation
Status: RESOLVED FIXED
Alias: CVE-2015-5191, VMSA-2017-0013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2017/q3/209
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-28 12:37 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-08-08 17:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-28 12:37:54 UTC 
From URL:

Open VMware Tools (CVE-2015-5191) contains multiple file system races in libDeployPkg, related to the use of hard-coded 
paths under /tmp.
Successful exploitation may result in a local privilege escalation. The impact of this vulnerability is low for 
distributions which have enabled PrivateTmp for the affected service.
Fixes/References
--------------
9.10.x – https://github.com/vmware/open-vm-tools/commit/c1304ce8bfd9c0c33999e496bf7049d5c3d45821
10.0.x - https://github.com/vmware/open-vm-tools/commit/b3068b04880eda4ca3e13f2d34fb8ce336ad1a4f
10.1.x - https://github.com/vmware/open-vm-tools/commit/22e58289f71232310d30cf162b83b5151a937bac
Comment 1 D'juan McDonald (domhnall) 2017-08-08 16:49:08 UTC 
Upstream: https://www.vmware.com/security/advisories/VMSA-2017-0013.html
Comment 2 Mike Gilbert gentoo-dev 2017-08-08 17:02:41 UTC 
open-vm-tools-10.1.10 has been added to the gentoo repo, and all previous versions have been removed.

This package has no stable keywords.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-08 17:18:52 UTC 
(In reply to Mike Gilbert from comment #2)
> open-vm-tools-10.1.10 has been added to the gentoo repo, and all previous
> versions have been removed.
> 
> This package has no stable keywords.

Thanks, CVE assigned, noglsa, closing