Bug 30770

Summary: open-vm-tools new security issue CVE-2022-31676
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: open-vm-tools-12.0.5-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-08-24 21:21:38 CEST 
A security issue fixed upstream in open-vm-tools has been announced on August 23:
https://www.openwall.com/lists/oss-security/2022/08/23/3

The issue is fixed upstream in 12.1.0.

Mageia 8 is also affected.
David Walser 2022-08-24 21:21:48 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 12.1.0

Comment 1 David Walser 2022-08-24 21:30:15 CEST 
Debian and Ubuntu have issued advisories for this today (August 24):
https://www.debian.org/security/2022/dsa-5215
https://ubuntu.com/security/notices/USN-5578-1
Comment 2 Lewis Smith 2022-08-26 20:25:22 CEST 
David, this is a rare case where you are both registered and visibly active maintainer; so excuse assigning it to you. You will re-assign it if you wish.

Assignee: bugsquad => luigiwalser

Comment 3 David Walser 2022-09-08 23:45:09 CEST 
Fedora has issued an advisory for this today (September 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/
Comment 4 David Walser 2022-09-09 00:01:20 CEST 
Advisory:
========================

Updated open-vm-tools packages fix security vulnerability:

A malicious actor with local non-administrative access to the Guest OS can
escalate privileges as a root user in the virtual machine (CVE-2022-31676).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/
========================

Updated packages in core/updates_testing:
========================
open-vm-tools-test-11.2.5-1.1.mga8
open-vm-tools-sdmp-11.2.5-1.1.mga8
open-vm-tools-desktop-11.2.5-1.1.mga8
open-vm-tools-devel-11.2.5-1.1.mga8
open-vm-tools-11.2.5-1.1.mga8

from open-vm-tools-11.2.5-1.1.mga8.src.rpm

Assignee: luigiwalser => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 12.1.0 => (none)
Severity: normal => critical

Comment 5 Thomas Andrews 2022-09-19 14:05:15 CEST 
Tested in VirtualBox. I installed all the above packages except for the devel one, then updated using Qarepo. No installation issues.

Sought guidance from previous updates, and found Bug 20323. It was determined then that without a VMware installation, a clean update install over the older packages would be sufficient. So...

OKing and validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-09-20 22:23:33 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-09-21 20:16:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0342.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED