Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201209-25 ] VMware Player, Server, Workstation: Multiple vulnerabilities
Date: Sat, 29 Sep 2012 18:12:00
Message-Id: 506720B1.4070809@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201209-25
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: VMware Player, Server, Workstation: Multiple vulnerabilities
9 Date: September 29, 2012
10 Bugs: #213548, #224637, #236167, #245941, #265139, #282213,
11 #297367, #335866, #385727
12 ID: 201209-25
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in VMware Player, Server, and
20 Workstation, allowing remote and local attackers to conduct several
21 attacks, including privilege escalation, remote execution of arbitrary
22 code, and a Denial of Service.
23
24 Background
25 ==========
26
27 VMware Player, Server, and Workstation allow emulation of a complete PC
28 on a PC without the usual performance overhead of most emulators.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 app-emulation/vmware-player
37 <= 2.5.5.328052 Vulnerable!
38 2 app-emulation/vmware-workstation
39 <= 6.5.5.328052 Vulnerable!
40 3 app-emulation/vmware-server
41 <= 1.0.9.156507 Vulnerable!
42 -------------------------------------------------------------------
43 NOTE: Certain packages are still vulnerable. Users should migrate
44 to another package if one is available or wait for the
45 existing packages to be marked stable by their
46 architecture maintainers.
47 -------------------------------------------------------------------
48 3 affected packages
49
50 Description
51 ===========
52
53 Multiple vulnerabilities have been discovered in VMware Player, Server,
54 and Workstation. Please review the CVE identifiers referenced below for
55 details.
56
57 Impact
58 ======
59
60 Local users may be able to gain escalated privileges, cause a Denial of
61 Service, or gain sensitive information.
62
63 A remote attacker could entice a user to open a specially crafted file,
64 possibly resulting in the remote execution of arbitrary code, or a
65 Denial of Service. Remote attackers also may be able to spoof DNS
66 traffic, read arbitrary files, or inject arbitrary web script to the
67 VMware Server Console.
68
69 Furthermore, guest OS users may be able to execute arbitrary code on
70 the host OS, gain escalated privileges on the guest OS, or cause a
71 Denial of Service (crash the host OS).
72
73 Workaround
74 ==========
75
76 There is no known workaround at this time.
77
78 Resolution
79 ==========
80
81 Gentoo discontinued support for VMware Player. We recommend that users
82 unmerge VMware Player:
83
84 # emerge --unmerge "app-emulation/vmware-player"
85
86 NOTE: Users could upgrade to ">=app-emulation/vmware-player-3.1.5",
87 however these packages are not currently stable.
88
89 Gentoo discontinued support for VMware Workstation. We recommend that
90 users unmerge VMware Workstation:
91
92 # emerge --unmerge "app-emulation/vmware-workstation"
93
94 NOTE: Users could upgrade to
95 ">=app-emulation/vmware-workstation-7.1.5", however these packages are
96 not currently stable.
97
98 Gentoo discontinued support for VMware Server. We recommend that users
99 unmerge VMware Server:
100
101 # emerge --unmerge "app-emulation/vmware-server"
102
103 References
104 ==========
105
106 [ 1 ] CVE-2007-5269
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5269
108 [ 2 ] CVE-2007-5503
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503
110 [ 3 ] CVE-2007-5671
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5671
112 [ 4 ] CVE-2008-0967
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0967
114 [ 5 ] CVE-2008-1340
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1340
116 [ 6 ] CVE-2008-1361
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1361
118 [ 7 ] CVE-2008-1362
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1362
120 [ 8 ] CVE-2008-1363
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1363
122 [ 9 ] CVE-2008-1364
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1364
124 [ 10 ] CVE-2008-1392
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1392
126 [ 11 ] CVE-2008-1447
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
128 [ 12 ] CVE-2008-1806
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1806
130 [ 13 ] CVE-2008-1807
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1807
132 [ 14 ] CVE-2008-1808
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1808
134 [ 15 ] CVE-2008-2098
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098
136 [ 16 ] CVE-2008-2100
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2100
138 [ 17 ] CVE-2008-2101
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2101
140 [ 18 ] CVE-2008-4915
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4915
142 [ 19 ] CVE-2008-4916
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4916
144 [ 20 ] CVE-2008-4917
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4917
146 [ 21 ] CVE-2009-0040
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040
148 [ 22 ] CVE-2009-0909
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0909
150 [ 23 ] CVE-2009-0910
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0910
152 [ 24 ] CVE-2009-1244
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1244
154 [ 25 ] CVE-2009-2267
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2267
156 [ 26 ] CVE-2009-3707
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3707
158 [ 27 ] CVE-2009-3732
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3732
160 [ 28 ] CVE-2009-3733
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3733
162 [ 29 ] CVE-2009-4811
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4811
164 [ 30 ] CVE-2010-1137
165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1137
166 [ 31 ] CVE-2010-1138
167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1138
168 [ 32 ] CVE-2010-1139
169 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1139
170 [ 33 ] CVE-2010-1140
171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1140
172 [ 34 ] CVE-2010-1141
173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1141
174 [ 35 ] CVE-2010-1142
175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1142
176 [ 36 ] CVE-2010-1143
177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1143
178 [ 37 ] CVE-2011-3868
179 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3868
180
181 Availability
182 ============
183
184 This GLSA and any updates to it are available for viewing at
185 the Gentoo Security Website:
186
187 http://security.gentoo.org/glsa/glsa-201209-25.xml
188
189 Concerns?
190 =========
191
192 Security is a primary focus of Gentoo Linux and ensuring the
193 confidentiality and security of our users' machines is of utmost
194 importance to us. Any security concerns should be addressed to
195 security@g.o or alternatively, you may file a bug at
196 https://bugs.gentoo.org.
197
198 License
199 =======
200
201 Copyright 2012 Gentoo Foundation, Inc; referenced text
202 belongs to its owner(s).
203
204 The contents of this document are licensed under the
205 Creative Commons - Attribution / Share Alike license.
206
207 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups