summaryrefslogtreecommitdiff
blob: 8e5009eeeb80da48c4a5fa13e9712a62a625d919 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201209-25">
  <title>VMware Player, Server, Workstation: Multiple vulnerabilities</title>
  <synopsis>Multiple vulnerabilities have been found in VMware Player, Server,
    and Workstation, allowing remote and local attackers to conduct several
    attacks, including privilege escalation, remote execution of arbitrary
    code, and a Denial of Service.
  </synopsis>
  <product type="ebuild">vmware-server vmware-player vmware-workstation</product>
  <announced>September 29, 2012</announced>
  <revised>September 29, 2012: 2</revised>
  <bug>213548</bug>
  <bug>224637</bug>
  <bug>236167</bug>
  <bug>245941</bug>
  <bug>265139</bug>
  <bug>282213</bug>
  <bug>297367</bug>
  <bug>335866</bug>
  <bug>385727</bug>
  <access>local, remote</access>
  <affected>
    <package name="app-emulation/vmware-player" auto="yes" arch="*">
      <vulnerable range="le">2.5.5.328052</vulnerable>
    </package>
    <package name="app-emulation/vmware-workstation" auto="yes" arch="*">
      <vulnerable range="le">6.5.5.328052</vulnerable>
    </package>
    <package name="app-emulation/vmware-server" auto="yes" arch="*">
      <vulnerable range="le">1.0.9.156507</vulnerable>
    </package>
  </affected>
  <background>
    <p>VMware Player, Server, and Workstation allow emulation of a complete PC
      on a PC without the usual performance overhead of most emulators.
    </p>
  </background>
  <description>
    <p>Multiple vulnerabilities have been discovered in VMware Player, Server,
      and Workstation. Please review the CVE identifiers referenced below for
      details.
    </p>
  </description>
  <impact type="high">
    <p>Local users may be able to gain escalated privileges, cause a Denial of
      Service, or gain sensitive information. 
    </p>
    
    <p>A remote attacker could entice a user to open a specially crafted file,
      possibly resulting in the remote execution of arbitrary code, or a Denial
      of Service. Remote attackers also may be able to spoof DNS traffic, read
      arbitrary files, or inject arbitrary web script to the VMware Server
      Console. 
    </p>
    
    <p>Furthermore, guest OS users may be able to execute arbitrary code on the
      host OS, gain escalated privileges on the guest OS, or cause a Denial of
      Service (crash the host OS).
    </p>
  </impact>
  <workaround>
    <p>There is no known workaround at this time.</p>
  </workaround>
  <resolution>
    <p>Gentoo discontinued support for VMware Player. We recommend that users
      unmerge VMware Player:
    </p>
    
    <code>
      # emerge --unmerge "app-emulation/vmware-player"
    </code>
    
    <p>NOTE: Users could upgrade to
      &gt;=app-emulation/vmware-player-3.1.5”, however these packages are
      not currently stable.
    </p>
    
    <p>Gentoo discontinued support for VMware Workstation. We recommend that
      users unmerge VMware Workstation:
    </p>
    
    <code>
      # emerge --unmerge "app-emulation/vmware-workstation"
    </code>
    
    <p>NOTE: Users could upgrade to
      &gt;=app-emulation/vmware-workstation-7.1.5”, however these packages
      are not currently stable.
    </p>
    
    <p>Gentoo discontinued support for VMware Server. We recommend that users
      unmerge VMware Server:
    </p>
    
    <code>
      # emerge --unmerge "app-emulation/vmware-server"
    </code>
  </resolution>
  <references>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5269">CVE-2007-5269</uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503 ">
      CVE-2007-5503 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5671 ">
      CVE-2007-5671 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0967 ">
      CVE-2008-0967 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1340 ">
      CVE-2008-1340 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1361 ">
      CVE-2008-1361 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1362 ">
      CVE-2008-1362 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1363 ">
      CVE-2008-1363 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1364 ">
      CVE-2008-1364 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1392 ">
      CVE-2008-1392 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447 ">
      CVE-2008-1447 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1806 ">
      CVE-2008-1806 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1807 ">
      CVE-2008-1807 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1808 ">
      CVE-2008-1808 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098 ">
      CVE-2008-2098 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2100 ">
      CVE-2008-2100 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2101 ">
      CVE-2008-2101 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4915 ">
      CVE-2008-4915 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4916 ">
      CVE-2008-4916 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4917 ">
      CVE-2008-4917 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040 ">
      CVE-2009-0040 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0909 ">
      CVE-2009-0909 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0910 ">
      CVE-2009-0910 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1244">CVE-2009-1244</uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2267 ">
      CVE-2009-2267 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3707 ">
      CVE-2009-3707 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3732 ">
      CVE-2009-3732 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3733 ">
      CVE-2009-3733 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4811 ">
      CVE-2009-4811 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1137 ">
      CVE-2010-1137 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1138 ">
      CVE-2010-1138 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1139 ">
      CVE-2010-1139 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1140 ">
      CVE-2010-1140 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1141 ">
      CVE-2010-1141 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1142 ">
      CVE-2010-1142 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1143 ">
      CVE-2010-1143 
    </uri>
    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3868">CVE-2011-3868</uri>
  </references>
  <metadata tag="requester" timestamp="Fri, 07 Oct 2011 23:37:01 +0000">system</metadata>
  <metadata tag="submitter" timestamp="Sat, 29 Sep 2012 13:12:45 +0000">ackle</metadata>
</glsa>