Debian Bug report logs -
#770809
open-vm-tools: CVE-2014-4199 CVE-2014-4200
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 24 Nov 2014 10:12:01 UTC
Severity: important
Tags: security
Fixed in version open-vm-tools/2:9.4.6-1770165-7
Done: Bernd Zeimetz <bzed@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#770809; Package open-vm-tools.
(Mon, 24 Nov 2014 10:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bernd Zeimetz <bzed@debian.org>.
(Mon, 24 Nov 2014 10:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: open-vm-tools
Severity: important
Tags: security
Hi,
please see http://seclists.org/fulldisclosure/2014/Aug/71 for the original report.
The affected script is shipped in open-vm-tools as /etc/vmware-tools/vm-support
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#770809; Package open-vm-tools.
(Sat, 29 Nov 2014 14:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Sat, 29 Nov 2014 14:27:05 GMT) (full text, mbox, link).
Message #10 received at 770809@bugs.debian.org (full text, mbox, reply):
CVE-2014-4200 fixed in Version: 2:9.4.6-1770165-1
root@zebedev001:/tmp# /etc/vmware-tools/vm-support
VMware UNIX Support Script 0.89
[...]
Creating tar archive...
Uploading archive to host...
Done, support data available in 'vm-2014-11-29.29391.tar.gz'.
root@zebedev001:/tmp# ls -la 'vm-2014-11-29.29391.tar.gz'
-rw------- 1 root root 2034216 Nov 29 15:01 vm-2014-11-29.29391.tar.gz
root@zebedev001:/tmp#
Unsafe file creation in /tmp will be fixed in the next upload.
thanks,
bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#770809; Package open-vm-tools.
(Sat, 29 Nov 2014 15:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Sat, 29 Nov 2014 15:00:05 GMT) (full text, mbox, link).
Message #15 received at 770809@bugs.debian.org (full text, mbox, reply):
Hi Bernd,
On Sat, Nov 29, 2014 at 03:23:54PM +0100, Bernd Zeimetz wrote:
> CVE-2014-4200 fixed in Version: 2:9.4.6-1770165-1
FTR, it is marked as fixed already in the security-tracker at
https://security-tracker.debian.org/tracker/CVE-2014-4200 .
Thanks a lot for your work!
Regards,
Salvatore
Reply sent
to Bernd Zeimetz <bzed@debian.org>:
You have taken responsibility.
(Sat, 29 Nov 2014 17:06:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 29 Nov 2014 17:06:11 GMT) (full text, mbox, link).
Message #20 received at 770809-close@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Source-Version: 2:9.4.6-1770165-7
We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated open-vm-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Nov 2014 15:57:20 +0100
Source: open-vm-tools
Binary: open-vm-tools open-vm-tools-desktop open-vm-tools-dev open-vm-tools-dbg open-vm-tools-dkms
Architecture: source amd64 all
Version: 2:9.4.6-1770165-7
Distribution: unstable
Urgency: medium
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description:
open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI)
open-vm-tools-dbg - Open VMware Tools for virtual machines hosted on VMware (debug)
open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI)
open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm
open-vm-tools-dkms - Open VMware Tools for virtual machines hosted on VMware (DKMS)
Closes: 770809
Changes:
open-vm-tools (2:9.4.6-1770165-7) unstable; urgency=medium
.
* [8df5b4ac] Adding patch to fix CVE-2014-4199.
Thanks to Moritz Muehlenhoff (Closes: #770809)
Checksums-Sha1:
6c569b804366bc5beaefeedb3b09f2423ecfcc54 2449 open-vm-tools_9.4.6-1770165-7.dsc
d0d486230033f0c6a5b9e510d9ef856a162fd80c 44472 open-vm-tools_9.4.6-1770165-7.debian.tar.xz
13d88af82d87ec1c9252c131a8159d351aab6c2a 512700 open-vm-tools_9.4.6-1770165-7_amd64.deb
e7b5c03bb2c3e4bfa675c8ff0ab07edf5a4c9f72 174826 open-vm-tools-desktop_9.4.6-1770165-7_amd64.deb
6149350e4016ef90203360d81f7fb5857b31cd50 265570 open-vm-tools-dev_9.4.6-1770165-7_all.deb
bd75a1e10c92e344716ac9dcdbbd70b77067a26d 2392824 open-vm-tools-dbg_9.4.6-1770165-7_amd64.deb
87a2c3e814e4692d5dc0cf4f735ecfdff1af6173 452110 open-vm-tools-dkms_9.4.6-1770165-7_all.deb
Checksums-Sha256:
7a5107ebc8fa86caa4b82ed35ddba1424689d78c3aadf4820d22a0ba6a2a0f0c 2449 open-vm-tools_9.4.6-1770165-7.dsc
56ed659d6c1d8fa20c0666078c5efc65b6ebae1b1cda6438ea7008b5cc6436dc 44472 open-vm-tools_9.4.6-1770165-7.debian.tar.xz
d362230a47a1364c07e381ba64b9bb43b1e41d4357766624380c2ccf0897d220 512700 open-vm-tools_9.4.6-1770165-7_amd64.deb
32896db4981ebb058fd4385008d4b0c2828533cc651a6c1485cb2501679f4493 174826 open-vm-tools-desktop_9.4.6-1770165-7_amd64.deb
51034abf045bc540ce34abb4c059cf0c731b8d230fff2c619fe4b6f7203aa5a9 265570 open-vm-tools-dev_9.4.6-1770165-7_all.deb
6f73c97c360d1ede8f2f47292bf4e8d101b17e04d37b20dd10a5764d8efdacab 2392824 open-vm-tools-dbg_9.4.6-1770165-7_amd64.deb
c06b91d1a4d5a3dce20894652b56c9058aa93817a0126946dc2ada81ebef0562 452110 open-vm-tools-dkms_9.4.6-1770165-7_all.deb
Files:
79ea5795ddcef3d9645be8f9c912ce5a 2449 admin extra open-vm-tools_9.4.6-1770165-7.dsc
a9f0ad2c81c1887ae6c5042f33ce73a2 44472 admin extra open-vm-tools_9.4.6-1770165-7.debian.tar.xz
87351d110c2039dfb781406eff239e25 512700 admin extra open-vm-tools_9.4.6-1770165-7_amd64.deb
74bb2aee281097001a78fa3e5a037135 174826 admin extra open-vm-tools-desktop_9.4.6-1770165-7_amd64.deb
7ca205b63fb226f183a71cad95c3ea0a 265570 devel extra open-vm-tools-dev_9.4.6-1770165-7_all.deb
08162abc39c509cfed0dd36b0c03657e 2392824 debug extra open-vm-tools-dbg_9.4.6-1770165-7_amd64.deb
213be308f511fb61a5cdeae5540a9687 452110 kernel extra open-vm-tools-dkms_9.4.6-1770165-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUefeIAAoJEOs2Fxpv+UNfgeEP+QGSQcIrotPfaJAuOKPdLnbN
KsBACf17sJcGMJxB7ncOD3t9EZt1RcYBrdEXcnew4q6xWBdmZFbW0rpa5LOz33NC
JVBP1e7e4SdYBbKwhC3Z0YRWK3hM2MQqfnW0E23oodrr6S+8Ek2yHiZDx7gxSb4J
UofrxUHqT2d/dEcV2TMIMzSJe4Q4q8mJCHdetUHMgu53ZhlvfE7K15UH3Cm4rlHi
N1ijTy1SQ8GalvCUSFhEQVX+cVK5UnBaeFCDcQa2e1vrJmt2OBC7gju5tEHyT0Zn
pQGpTZ40gXk4wu3CWKJ+cvbr8nv2VQCMxdb7p+CmhDumXN/wgngncDEpud+A8LMI
hJILkAfRbdjHw17fCEQIICDt9IuPg2b9KFXKjiCe2pY2mSOpZCARxfaAvAzVMqdn
oiY+Evn9Uxi89yWVZEu55/xWAZrEFGEIeMtlabKTXTXn+4Eja1mxGlOaFHLASBZm
hkxxw0OyfRFZk3mlao5qSR4w7KKu3btSLABgO0LtQHtumP8AbjVt6q4DxzN4qJTF
/UEQKf4XJzvvepqZJdZF/lwexjXSV5035jS/ha4bZuDb0Ig5j33UwQwlZAXWzGqL
ewh9KYH5ruTcjrAWXk+MUl1Rzrpl2YV3Pa0BtDBFB2ezC93WZA5Gnfiz3W5/CQMV
njXbjVAl6AQnFOYtn339
=WMM2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 02 Jan 2015 07:25:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:10:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon