Debian Bug report logs -
#706557
open-vm-tools: CVE-2013-3237
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 1 May 2013 14:57:01 UTC
Severity: important
Tags: patch, security
Found in version open-vm-tools/1:8.4.2-261024-1
Fixed in version open-vm-tools/2:9.2.2-893683-8
Done: Daniel Baumann <daniel.baumann@progress-technologies.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#706557; Package src:open-vm-tools.
(Wed, 01 May 2013 14:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Baumann <mail@daniel-baumann.ch>.
(Wed, 01 May 2013 14:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Version: 1:8.4.2-261024-1
Severity: important
Tags: security patch
Hi
Recently linux introduced VM Sockets. It was found the following
vulnerability, which looks also affecting af_vsock.c in open-vm-tools:
CVE-2013-3237[0]:
| The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the
| Linux kernel before 3.9-rc7 does not initialize a certain length
| variable, which allows local users to obtain sensitive information
| from kernel stack memory via a crafted recvmsg or recvfrom system
| call.
The commit for linux against net/vmw_vsock/af_vsock.c is at [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3237
http://security-tracker.debian.org/tracker/CVE-2013-3237
[1] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d5e0d0f607a7a029c6563a0470d88255c89a8d11
Regards,
Salvatore
Marked as fixed in versions open-vm-tools/2:9.2.2-893683-8.
Request was from Daniel Baumann <daniel.baumann@progress-technologies.net>
to control@bugs.debian.org.
(Fri, 03 May 2013 10:09:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Daniel Baumann <daniel.baumann@progress-technologies.net>
to control@bugs.debian.org.
(Fri, 03 May 2013 10:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 03 May 2013 10:09:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Sep 2013 07:30:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:59:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon