A security issue fixed upstream in open-vm-tools has been announced on August 23: https://www.openwall.com/lists/oss-security/2022/08/23/3 The issue is fixed upstream in 12.1.0. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 12.1.0
Debian and Ubuntu have issued advisories for this today (August 24): https://www.debian.org/security/2022/dsa-5215 https://ubuntu.com/security/notices/USN-5578-1
David, this is a rare case where you are both registered and visibly active maintainer; so excuse assigning it to you. You will re-assign it if you wish.
Assignee: bugsquad => luigiwalser
Fedora has issued an advisory for this today (September 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/
Advisory: ======================== Updated open-vm-tools packages fix security vulnerability: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine (CVE-2022-31676). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/ ======================== Updated packages in core/updates_testing: ======================== open-vm-tools-test-11.2.5-1.1.mga8 open-vm-tools-sdmp-11.2.5-1.1.mga8 open-vm-tools-desktop-11.2.5-1.1.mga8 open-vm-tools-devel-11.2.5-1.1.mga8 open-vm-tools-11.2.5-1.1.mga8 from open-vm-tools-11.2.5-1.1.mga8.src.rpm
Assignee: luigiwalser => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 12.1.0 => (none)Severity: normal => critical
Tested in VirtualBox. I installed all the above packages except for the devel one, then updated using Qarepo. No installation issues. Sought guidance from previous updates, and found Bug 20323. It was determined then that without a VMware installation, a clean update install over the older packages would be sufficient. So... OKing and validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0342.html
Status: NEW => RESOLVEDResolution: (none) => FIXED