Bug 30770 - open-vm-tools new security issue CVE-2022-31676
Summary: open-vm-tools new security issue CVE-2022-31676
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-24 21:21 CEST by David Walser
Modified: 2022-09-21 20:16 CEST (History)
3 users (show)

See Also:
Source RPM: open-vm-tools-12.0.5-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-24 21:21:38 CEST 
A security issue fixed upstream in open-vm-tools has been announced on August 23:
https://www.openwall.com/lists/oss-security/2022/08/23/3

The issue is fixed upstream in 12.1.0.

Mageia 8 is also affected.
David Walser 2022-08-24 21:21:48 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 12.1.0

Comment 1 David Walser 2022-08-24 21:30:15 CEST 
Debian and Ubuntu have issued advisories for this today (August 24):
https://www.debian.org/security/2022/dsa-5215
https://ubuntu.com/security/notices/USN-5578-1
Comment 2 Lewis Smith 2022-08-26 20:25:22 CEST 
David, this is a rare case where you are both registered and visibly active maintainer; so excuse assigning it to you. You will re-assign it if you wish.

Assignee: bugsquad => luigiwalser

Comment 3 David Walser 2022-09-08 23:45:09 CEST 
Fedora has issued an advisory for this today (September 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/
Comment 4 David Walser 2022-09-09 00:01:20 CEST 
Advisory:
========================

Updated open-vm-tools packages fix security vulnerability:

A malicious actor with local non-administrative access to the Guest OS can
escalate privileges as a root user in the virtual machine (CVE-2022-31676).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/
========================

Updated packages in core/updates_testing:
========================
open-vm-tools-test-11.2.5-1.1.mga8
open-vm-tools-sdmp-11.2.5-1.1.mga8
open-vm-tools-desktop-11.2.5-1.1.mga8
open-vm-tools-devel-11.2.5-1.1.mga8
open-vm-tools-11.2.5-1.1.mga8

from open-vm-tools-11.2.5-1.1.mga8.src.rpm

Assignee: luigiwalser => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 12.1.0 => (none)
Severity: normal => critical

Comment 5 Thomas Andrews 2022-09-19 14:05:15 CEST 
Tested in VirtualBox. I installed all the above packages except for the devel one, then updated using Qarepo. No installation issues.

Sought guidance from previous updates, and found Bug 20323. It was determined then that without a VMware installation, a clean update install over the older packages would be sufficient. So...

OKing and validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-09-20 22:23:33 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-09-21 20:16:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0342.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.