Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200711-23 ] VMware Workstation and Player: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Sun Nov 18, 2007 10:26 pm    Post subject: [ GLSA 200711-23 ] VMware Workstation and Player: Multiple v Reply with quote

Gentoo Linux Security Advisory

Title: VMware Workstation and Player: Multiple vulnerabilities (GLSA 200711-23)
Severity: normal
Exploitable: remote
Date: November 18, 2007
Updated: April 16, 2008
Bug(s): #193196
ID: 200711-23

Synopsis


VMware guest operating systems might be able to execute arbitrary code with
elevated privileges on the host operating system through multiple flaws.


Background


VMware Workstation is a virtual machine for developers and system
administrators. VMware Player is a freeware virtualization software
that can run guests produced by other VMware products.


Affected Packages

Package: app-emulation/vmware-workstation
Vulnerable: < 5.5.5.56455
Vulnerable: = 6.0.0.45731
Unaffected: >= 5.5.5.56455
Architectures: All supported architectures

Package: app-emulation/vmware-player
Vulnerable: < 1.0.5.56455
Vulnerable: = 2.0.0.45731
Unaffected: >= 1.0.5.56455
Architectures: All supported architectures


Description


Multiple vulnerabilities have been discovered in several VMware
products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that
the DHCP server contains an integer overflow vulnerability
(CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and
another error when handling malformed packets (CVE-2007-0061), leading
to stack-based buffer overflows or stack corruption. Rafal Wojtczvk
(McAfee) discovered two unspecified errors that allow authenticated
users with administrative or login privileges on a guest operating
system to corrupt memory or cause a Denial of Service (CVE-2007-4496,
CVE-2007-4497). Another unspecified vulnerability related to untrusted
virtual machine images was discovered (CVE-2007-5617).

VMware products also shipped code copies of software with several
vulnerabilities: Samba (GLSA-200705-15), BIND (GLSA-200702-06), MIT
Kerberos 5 (GLSA-200707-11), Vixie Cron (GLSA-200704-11), shadow
(GLSA-200606-02), OpenLDAP (CVE-2006-4600), PAM (CVE-2004-0813,
CVE-2007-1716), GCC (CVE-2006-3619) and GDB (CVE-2006-4146).


Impact


Remote attackers within a guest system could possibly exploit these
vulnerabilities to execute code on the host system with elevated
privileges or to cause a Denial of Service.


Workaround


There is no known workaround at this time.


Resolution


All VMware Workstation users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/vmware-workstation-5.5.5.56455"

All VMware Player users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/vmware-player-1.0.5.56455"


References

CVE-2004-0813
CVE-2006-3619
CVE-2006-4146
CVE-2006-4600
CVE-2007-0061
CVE-2007-0062
CVE-2007-0063
CVE-2007-1716
CVE-2007-4496
CVE-2007-4497
CVE-2007-5617
GLSA-200606-02
GLSA-200702-06
GLSA-200704-11
GLSA-200705-15
GLSA-200707-11
VMSA-2007-0006


Last edited by GLSA on Mon Jun 10, 2013 4:26 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum