"A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine." Seems like 12.1.0 is in the process of being released: https://docs.vmware.com/en/VMware-Tools/12.1/rn/VMware-Tools-1210-Release-Notes.html
FYI, upstream released the version in the mean time and a simple ebuild renaming did build in a test VM (no runtime testing from my side though).
(In reply to Nils Freydank from comment #1) > FYI, upstream released the version in the mean time and a simple ebuild > renaming did build in a test VM (no runtime testing from my side though). Thanks! Could you make a PR?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c61a49faebd143a946a61929cb81fbf8ab2e8f0f commit c61a49faebd143a946a61929cb81fbf8ab2e8f0f Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-09-09 15:21:51 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-09-09 15:22:54 +0000 app-emulation/open-vm-tools: add 12.1.0 Bug: https://bugs.gentoo.org/866227 Signed-off-by: Mike Gilbert <floppym@gentoo.org> app-emulation/open-vm-tools/Manifest | 1 + .../open-vm-tools/open-vm-tools-12.1.0.ebuild | 149 +++++++++++++++++++++ 2 files changed, 150 insertions(+)
Thanks! Please stabilize when ready
Created attachment 812878 [details, diff] CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and 12.0.5_p19716617 There's also available this backported patch, from https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205-Properly-check-authorization-on-incoming-guestOps-re.patch It cleanly applies to both current versions in Gentoo tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617
(In reply to CFuga from comment #5) > Created attachment 812878 [details, diff] [details, diff] > CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and > 12.0.5_p19716617 > > There's also available this backported patch, from > > https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205- > Properly-check-authorization-on-incoming-guestOps-re.patch > > It cleanly applies to both current versions in Gentoo > tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617 Hm? Is the patch not included in 12.1.0? Or maybe there's some reason we shouldn't stabilize it?
(In reply to John Helmert III from comment #6) > (In reply to CFuga from comment #5) > > Created attachment 812878 [details, diff] [details, diff] [details, diff] > > CVE-2022-31676: backported patch for versions 11.3.5_p18557794 and > > 12.0.5_p19716617 > > > > There's also available this backported patch, from > > > > https://github.com/vmware/open-vm-tools/blob/CVE-2022-31676.patch/1205- > > Properly-check-authorization-on-incoming-guestOps-re.patch > > > > It cleanly applies to both current versions in Gentoo > > tree,open-vm-tools-11.3.5_p18557794 and open-vm-tools-12.0.5_p19716617 > > Hm? Is the patch not included in 12.1.0? Or maybe there's some reason we > shouldn't stabilize it? The patch is included in 12.1.0. I suggest to apply it to the other versions available in Gentoo tree, unless you're planning to push to stable the new version and delete the previous ebuilds.
I am not going to backport anything. I am waiting a short time before stabilizing 12.1.0.
Please cleanup
GLSA request filed, ping for cleanup.
Cleanup done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe60e20c56d0864d2ca0dc1449c82174df59e541 commit fe60e20c56d0864d2ca0dc1449c82174df59e541 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:23:04 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:16 +0000 [ GLSA 202210-27 ] open-vm-tools: Local Privilege Escalation Bug: https://bugs.gentoo.org/866227 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-27.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
GLSA released, all done!
