open-vm-tools: CVE-2022-31676: local privilege escalation

Debian Bug report logs - #1018012
open-vm-tools: CVE-2022-31676: local privilege escalation

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: open-vm-tools: CVE-2022-31676: local privilege escalation

Date: Wed, 24 Aug 2022 09:18:56 +0200

Source: open-vm-tools
Version: 2:12.0.5-2
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for open-vm-tools.

CVE-2022-31676[0]:
| VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
| escalation vulnerability. A malicious actor with local non-
| administrative access to the Guest OS can escalate privileges as a
| root user in the virtual machine.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31676
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
[1] https://www.vmware.com/security/advisories/VMSA-2022-0024.html
[2] https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 1018012-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1018012-close@bugs.debian.org

Subject: Bug#1018012: fixed in open-vm-tools 2:12.1.0-1

Date: Wed, 24 Aug 2022 08:37:12 +0000

Source: open-vm-tools
Source-Version: 2:12.1.0-1
Done: Bernd Zeimetz <bzed@debian.org>

We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1018012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated open-vm-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 Aug 2022 09:49:58 +0200
Source: open-vm-tools
Architecture: source
Version: 2:12.1.0-1
Distribution: unstable
Urgency: high
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Closes: 1018012
Changes:
 open-vm-tools (2:12.1.0-1) unstable; urgency=high
 .
   * [e704b2c] New upstream version 12.1.0
     Closes: #1018012 / CVE-2022-31676
   * [f9048c4] Remove patches applied upstream
Checksums-Sha1:
 0c23e8db6122d5b2751b926ea2c4126ee94fa937 2914 open-vm-tools_12.1.0-1.dsc
 d223e0804365ad0800c70f8929ace109ba0d6993 1788016 open-vm-tools_12.1.0.orig.tar.xz
 1eb4beb135882b797d52b1da8171efb2b479cd3b 33356 open-vm-tools_12.1.0-1.debian.tar.xz
 2d391f12940f2565d1ba234763498d0f3b052efb 10778 open-vm-tools_12.1.0-1_source.buildinfo
Checksums-Sha256:
 318666a6d30c9767a5249702bc40fae8be729cc3ba24967cb4de5fbc0e4845ce 2914 open-vm-tools_12.1.0-1.dsc
 2a8951f7959faa5adfa9e4497f0f7bbfbb8e04a65f74d042cc24c1640c4616ac 1788016 open-vm-tools_12.1.0.orig.tar.xz
 7486df61ee601ec66f09f015f17aa4f1475c9934e588c99d62f83613d680063c 33356 open-vm-tools_12.1.0-1.debian.tar.xz
 d561c687024ac594130ea785930f41af313c17cd07f05816c3cd0533de2a9011 10778 open-vm-tools_12.1.0-1_source.buildinfo
Files:
 e5a84eb145441e26672b41109919ab1c 2914 admin optional open-vm-tools_12.1.0-1.dsc
 cf0da62dae50d81710ada2177c20335c 1788016 admin optional open-vm-tools_12.1.0.orig.tar.xz
 212cb6c774357de372f0bceca4d125e5 33356 admin optional open-vm-tools_12.1.0-1.debian.tar.xz
 0b35ee131a69ab0388b15d95ee591c57 10778 admin optional open-vm-tools_12.1.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmMF3QIACgkQ6zYXGm/5
Q1+1jg/+Jm6Q9Jx3CC7Ll1KTsV+g858sHj988Z6k2axSyyDoRAGF+xeiBxqgi66J
deuiVVUOZZRnC1UZOxDzLB0b4wxnfAfi73VP21Ho7KLfEOeXm64bompItaBSd0FD
wuBYOiNNQMGPjH6sL2wLnjxV1J7dWpuRAvGdf3te2k6IzPZWOqyXgYDbGZQRwVPn
C/tJ6fCqZr+wasuuHvB8GYG53QWFVsm2a7bdSFtavxzS39JMJNXwFpIEsVuVkrBX
X1234dYEVjb2KFNCmwey1RsM+AjDH9PG22TJzGTSNcNtVYBWLQc+Q2Hm8Rp9S/Ga
VQtoz86hDIcyIDvwimINGrFbBBmOd39RW+eb8axHpfv+oz+paDjCC6yepylFi06C
geRCy+/fv4v6QoeGs0PDiD+na6uoTDKyR7dBLbtCOML1kSI0UblIZ8XXtR8a5rhS
Mo9n2CqALjf4ydPnYLMXfmIjO/wHeOvAYzHSEcAoUk0A8kykMXWXGZ4hSDw/cVm7
KXWfzefLr1il2YesxiM9j9BsmPsxaH1+dwnDL6P9tLCquoPyCCjgtG/s2tT2OmxV
yPvUABPD15HE6w1QCgujDusA4MCTaWG8I2G11xiyjTLrV+3L7vKIhMQtWahYoMUa
ka8c7zEQtB7FgVixL1Zqh5V1qDhp75rQdlutDwdvS3k5eFTq0XM=
=Gnpm
-----END PGP SIGNATURE-----

Message #21 received at 1018012@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 1018012@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#1018012: open-vm-tools: CVE-2022-31676: local privilege escalation

Date: Wed, 24 Aug 2022 10:40:03 +0200

[Message part 1 (text/plain, inline)]

Hi security team,

I've prepared uploads for bullseye and buster, diffs are attached.
CI is also happy:
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines

Is it okay to upload to *-security?

Thanks,

Bernd

On Wed, 2022-08-24 at 09:18 +0200, Salvatore Bonaccorso wrote:
> Source: open-vm-tools
> Version: 2:12.0.5-2
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for open-vm-tools.
> 
> CVE-2022-31676[0]:
> > VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
> > escalation vulnerability. A malicious actor with local non-
> > administrative access to the Guest OS can escalate privileges as a
> > root user in the virtual machine.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31676
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
> [1] https://www.vmware.com/security/advisories/VMSA-2022-0024.html
> [2] https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

[bullseye.diff (text/x-patch, attachment)]

[buster.diff (text/x-patch, attachment)]

Message #26 received at 1018012@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernd Zeimetz <bernd@bzed.de>, 1018012@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#1018012: open-vm-tools: CVE-2022-31676: local privilege escalation

Date: Wed, 24 Aug 2022 12:42:27 +0200

Hi Bernd,

On Wed, Aug 24, 2022 at 10:40:03AM +0200, Bernd Zeimetz wrote:
> Hi security team,
> 
> I've prepared uploads for bullseye and buster, diffs are attached.
> CI is also happy:
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines
> 
> Is it okay to upload to *-security?

Thanks for preparing the update. bullseye-security one looks good to
me, so please feel free to upload this one to security-master
(remember to build with -sa).

For buster-security, can I route you to the LTS team?

Regards,
Salvatore

Send a report that this bug log contains spam.