Bug 20323

Summary: open-vm-tools new security issue CVE-2015-5191
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, mageia, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: open-vm-tools-10.1.5-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-02-20 01:11:25 CET 
openSUSE has issued an advisory on February 18:
https://lists.opensuse.org/opensuse-updates/2017-02/msg00088.html

The issue appears to be fixed upstream in 10.1.0.

Freeze push requested for Cauldron.
Comment 1 David Walser 2017-02-20 13:06:14 CET 
open-vm-tools-10.1.0-1.mga6 uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2017-07-26 13:11:15 CEST 
Apparently this wasn't fixed, as it was announced again, with a new patch:
http://openwall.com/lists/oss-security/2017/07/24/3

I synced the patch into SVN from Fedora, who just added it themselves.

Even though we (and Fedora) don't have PrivateTmp enabled (and I'm not sure why), since we have protected_symlinks enabled in the kernel, this shouldn't be much of an issue.  We can include the patch in any future updates.

Resolution: FIXED => (none)
Version: Cauldron => 6
Source RPM: open-vm-tools-10.0.5-2.mga6.src.rpm => open-vm-tools-10.1.5-2.mga6.src.rpm
Status: RESOLVED => REOPENED

Marja Van Waes 2017-07-29 23:53:02 CEST

Assignee: bugsquad => luigiwalser
CC: (none) => marja11

Comment 4 Nicolas Lécureuil 2017-08-12 22:45:42 CEST 
pushed in updates_testing ( it was already fixed in svn ).

src.rpm:
        open-vm-tools-10.1.5-2.1.mga6

Assignee: luigiwalser => qa-bugs
CC: (none) => mageia

Comment 5 David Walser 2017-08-12 23:22:26 CEST 
No it wasn't fixed.  That's why I reopened the bug.

Assignee: qa-bugs => luigiwalser

Comment 6 David Walser 2017-08-14 00:43:57 CEST 
Sorry Nicolas, I think I confused both of us with this bug report.

I hadn't pushed this update since it's not *really* a security issue for us (because of protected_symlinks), so I just wanted to include the patch in SVN for any future update.  I think we can hang onto this one for now and hold it until later.

If you really want to push the update, the package list is:
open-vm-tools-10.1.5-2.1.mga6
open-vm-tools-desktop-10.1.5-2.1.mga6
open-vm-tools-devel-10.1.5-2.1.mga6
Comment 7 Nicolas Lécureuil 2017-08-14 00:56:51 CEST 
i think this is saner to push it, we will handle other real sec issues later ( if some are open ;) ).
Nicolas Lécureuil 2017-08-20 00:30:28 CEST

Assignee: luigiwalser => qa-bugs

Comment 8 David Walser 2017-08-20 00:40:12 CEST 
Advisory:
========================

Updated open-vm-tools packages fix security vulnerability:

It was discovered that open-vm-tools has multiple /tmp race conditions in the
libDeployPkg component, allowing an unprivileged local user in a guest to cause
a denial of service through file system manipulation, or, possibly, increase
privileges (CVE-2015-5191).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3QIKOPGHT5CTPEKNYZDCSQ6O5CAOJHBO/
========================

Updated packages in core/updates_testing:
========================
open-vm-tools-10.1.5-2.1.mga6
open-vm-tools-desktop-10.1.5-2.1.mga6
open-vm-tools-devel-10.1.5-2.1.mga6

from open-vm-tools-10.1.5-2.1.mga6.src.rpm
Comment 9 Lewis Smith 2017-09-12 11:43:07 CEST 
M6/64

Installing the issued packages:
 open-vm-tools-10.1.5-2.mga6
 open-vm-tools-desktop-10.1.5-2.mga6
Programs that come with open-vm-tools:
VGAuthService, vm-support, vmhgfs-fuse, vmtoolsd,  vmware-checkvm,
vmware-guestproxycerttool, vmware-hgfsclient, vmware-namespace-cmd,
vmware-rpctool, vmware-toolbox-cmd, vmware-vgauth-cmd, vmware-xferlogs
 and open-vm-tools-desktop:
vmware-user-suid-wrapper, vmware-vmblock-fuse
 all in /usr/bin/ and NO man pages. Some commands have -h help.

I simply tried each command in turn mostly without parameters.

 $ VGAuthService
[various Messages & WARNINGs]
exiting
 $ vm-support
VMware UNIX Support Script 0.92
Please re-run this program as root.
 $ vmhgfs-fuse
Segmentation fault (core dumped)
 $ vmtoolsd
 $ vmware-checkvm
Not running in a virtual machine.
 $ vmware-guestproxycerttool
 $ vmware-hgfsclient
 $ vmware-namespace-cmd
Usage: [a lot of usage info]
 $ vmware-rpctool
rpctool syntax:
  rpctool <text>
 $ vmware-rpctool 'some text'
Failed sending message to VMware.
 $ vmware-toolbox-cmd
vmware-toolbox-cmd must be run inside a virtual machine.
 $ vmware-vgauth-cmd
Usage: [a lot of usage info]
 $ vmware-xferlogs
 $ vmware-user-suid-wrapper
vmware-user: could not open /proc/fs/vmblock/dev
 $ vmware-vmblock-fuse
fuse: missing mountpoint parameter
 # vm-support                   [the crash of vmhgfs-fuse ?]
VMware UNIX Support Script 0.92
Collecting support information...
Creating tar archive...
tar: Removing leading `/' from member names
Uploading archive to host...
/usr/bin/vm-support: line 379: 25442  Segmentation fault      (core dumped) vmware-xferlogs enc $TARFILE 2> /dev/null
Could not transmit logs successfully: either the vmware-xferlogs
binary is not in the path, or you are not in a virtual machine.
Done, support data available in 'vm-2017-09-12.24971.tar.gz'.
----------------
Then updated to:
 open-vm-tools-10.1.5-2.1.mga6
 open-vm-tools-desktop-10.1.5-2.1.mga6
and re-ran the whole lot. The output was *identical* apart from numbers in a couple of lines from vm-support, of no consequence.
-------------
vmhgfs-fuse which crashed with no parameters gave lots of info with:
 $ vmhgfs-fuse -h
of which I tried one, after the update only:
 $ vmhgfs-fuse -e
vmhgfs-fuse: 0 - HGFS FUSE client enabled
 so it is a bug that it crashes with no parameters.

vm-support:
unsure of what seems to be its own crash, because it seems to carry on.

Unless someone can do better, we may have to OK this on the basis of no evident superficial change due to the update. 2 crashes included!

CC: (none) => lewyssmith

Lewis Smith 2017-09-12 11:55:12 CEST

Keywords: (none) => advisory

Comment 10 Dave Hodgins 2017-09-12 13:35:11 CEST 
Do we need an update for open-vm-tools-9.4.6-2.mga5 too?

CC: (none) => davidwhodgins

Comment 11 David Walser 2017-09-12 15:00:15 CEST 
(In reply to Dave Hodgins from comment #10)
> Do we need an update for open-vm-tools-9.4.6-2.mga5 too?

No.
Comment 12 Lewis Smith 2017-09-20 09:57:40 CEST 
@ Dave H
Can we OK this for 64-bit on the basis of my feeble test in comment 9, which was a little better than just 'clean update'? Nothing else is happening.
If you agree, please OK & validate it.
Comment 13 Len Lawrence 2017-09-21 19:40:08 CEST 
@Lewis
When I first looked at this some weeks ago it looked like we could not do much without a VMware installation and your tests bear this out.  It is unlikely that anybody else could get further with this so it should be sent on its way.

And, agreed, a command which crashes when it receives no arguments should handle this situation cleanly by issuing a help message or at least a reprimand.

CC: (none) => tarazed25

Comment 14 Dave Hodgins 2017-09-21 22:06:21 CEST 
Agreed. Validating the update based on clean update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2017-10-05 22:09:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0354.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED