openSUSE has issued an advisory on February 18: https://lists.opensuse.org/opensuse-updates/2017-02/msg00088.html The issue appears to be fixed upstream in 10.1.0. Freeze push requested for Cauldron.
open-vm-tools-10.1.0-1.mga6 uploaded for Cauldron.
Status: NEW => RESOLVEDResolution: (none) => FIXED
Apparently this wasn't fixed, as it was announced again, with a new patch: http://openwall.com/lists/oss-security/2017/07/24/3 I synced the patch into SVN from Fedora, who just added it themselves. Even though we (and Fedora) don't have PrivateTmp enabled (and I'm not sure why), since we have protected_symlinks enabled in the kernel, this shouldn't be much of an issue. We can include the patch in any future updates.
Resolution: FIXED => (none)Version: Cauldron => 6Source RPM: open-vm-tools-10.0.5-2.mga6.src.rpm => open-vm-tools-10.1.5-2.mga6.src.rpmStatus: RESOLVED => REOPENED
Fedora advisory from today (July 26) for this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3QIKOPGHT5CTPEKNYZDCSQ6O5CAOJHBO/
Assignee: bugsquad => luigiwalserCC: (none) => marja11
pushed in updates_testing ( it was already fixed in svn ). src.rpm: open-vm-tools-10.1.5-2.1.mga6
Assignee: luigiwalser => qa-bugsCC: (none) => mageia
No it wasn't fixed. That's why I reopened the bug.
Assignee: qa-bugs => luigiwalser
Sorry Nicolas, I think I confused both of us with this bug report. I hadn't pushed this update since it's not *really* a security issue for us (because of protected_symlinks), so I just wanted to include the patch in SVN for any future update. I think we can hang onto this one for now and hold it until later. If you really want to push the update, the package list is: open-vm-tools-10.1.5-2.1.mga6 open-vm-tools-desktop-10.1.5-2.1.mga6 open-vm-tools-devel-10.1.5-2.1.mga6
i think this is saner to push it, we will handle other real sec issues later ( if some are open ;) ).
Assignee: luigiwalser => qa-bugs
Advisory: ======================== Updated open-vm-tools packages fix security vulnerability: It was discovered that open-vm-tools has multiple /tmp race conditions in the libDeployPkg component, allowing an unprivileged local user in a guest to cause a denial of service through file system manipulation, or, possibly, increase privileges (CVE-2015-5191). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3QIKOPGHT5CTPEKNYZDCSQ6O5CAOJHBO/ ======================== Updated packages in core/updates_testing: ======================== open-vm-tools-10.1.5-2.1.mga6 open-vm-tools-desktop-10.1.5-2.1.mga6 open-vm-tools-devel-10.1.5-2.1.mga6 from open-vm-tools-10.1.5-2.1.mga6.src.rpm
M6/64 Installing the issued packages: open-vm-tools-10.1.5-2.mga6 open-vm-tools-desktop-10.1.5-2.mga6 Programs that come with open-vm-tools: VGAuthService, vm-support, vmhgfs-fuse, vmtoolsd, vmware-checkvm, vmware-guestproxycerttool, vmware-hgfsclient, vmware-namespace-cmd, vmware-rpctool, vmware-toolbox-cmd, vmware-vgauth-cmd, vmware-xferlogs and open-vm-tools-desktop: vmware-user-suid-wrapper, vmware-vmblock-fuse all in /usr/bin/ and NO man pages. Some commands have -h help. I simply tried each command in turn mostly without parameters. $ VGAuthService [various Messages & WARNINGs] exiting $ vm-support VMware UNIX Support Script 0.92 Please re-run this program as root. $ vmhgfs-fuse Segmentation fault (core dumped) $ vmtoolsd $ vmware-checkvm Not running in a virtual machine. $ vmware-guestproxycerttool $ vmware-hgfsclient $ vmware-namespace-cmd Usage: [a lot of usage info] $ vmware-rpctool rpctool syntax: rpctool <text> $ vmware-rpctool 'some text' Failed sending message to VMware. $ vmware-toolbox-cmd vmware-toolbox-cmd must be run inside a virtual machine. $ vmware-vgauth-cmd Usage: [a lot of usage info] $ vmware-xferlogs $ vmware-user-suid-wrapper vmware-user: could not open /proc/fs/vmblock/dev $ vmware-vmblock-fuse fuse: missing mountpoint parameter # vm-support [the crash of vmhgfs-fuse ?] VMware UNIX Support Script 0.92 Collecting support information... Creating tar archive... tar: Removing leading `/' from member names Uploading archive to host... /usr/bin/vm-support: line 379: 25442 Segmentation fault (core dumped) vmware-xferlogs enc $TARFILE 2> /dev/null Could not transmit logs successfully: either the vmware-xferlogs binary is not in the path, or you are not in a virtual machine. Done, support data available in 'vm-2017-09-12.24971.tar.gz'. ---------------- Then updated to: open-vm-tools-10.1.5-2.1.mga6 open-vm-tools-desktop-10.1.5-2.1.mga6 and re-ran the whole lot. The output was *identical* apart from numbers in a couple of lines from vm-support, of no consequence. ------------- vmhgfs-fuse which crashed with no parameters gave lots of info with: $ vmhgfs-fuse -h of which I tried one, after the update only: $ vmhgfs-fuse -e vmhgfs-fuse: 0 - HGFS FUSE client enabled so it is a bug that it crashes with no parameters. vm-support: unsure of what seems to be its own crash, because it seems to carry on. Unless someone can do better, we may have to OK this on the basis of no evident superficial change due to the update. 2 crashes included!
CC: (none) => lewyssmith
Keywords: (none) => advisory
Do we need an update for open-vm-tools-9.4.6-2.mga5 too?
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #10) > Do we need an update for open-vm-tools-9.4.6-2.mga5 too? No.
@ Dave H Can we OK this for 64-bit on the basis of my feeble test in comment 9, which was a little better than just 'clean update'? Nothing else is happening. If you agree, please OK & validate it.
@Lewis When I first looked at this some weeks ago it looked like we could not do much without a VMware installation and your tests bear this out. It is unlikely that anybody else could get further with this so it should be sent on its way. And, agreed, a command which crashes when it receives no arguments should handle this situation cleanly by issuing a help message or at least a reprimand.
CC: (none) => tarazed25
Agreed. Validating the update based on clean update.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0354.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED