1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202210-27 ] open-vm-tools: Local Privilege Esc

    From glsamaker@gentoo.org@21:1/5 to All on Mon Oct 31 03:00:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202210-27
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: open-vm-tools: Local Privilege Escalation
    Date: October 31, 2022
    Bugs: #866227
    ID: 202210-27

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in open-vm-tools which could allow
    for local privilege escalation.

    Background
    ==========

    open-vm-tools contains tools for VMware guests.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 app-emulation/open-vm-tools < 12.1.0 >= 12.1.0

    Description
    ===========

    A pipe accessible to unprivileged users in the VMWare guest does not sufficiently sanitize input.

    Impact
    ======

    An unprivileged guest user could achieve root privileges within the
    guest.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All open-vm-tools users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-emulation/open-vm-tools-12.1.0"

    References
    ==========

    [ 1 ] CVE-2022-31676
    https://nvd.nist.gov/vuln/detail/CVE-2022-31676
    [ 2 ] VMSA-2022-0024.1

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-27

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIyBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNfI3wACgkQFMQkOaVy +9mEkA/3USDH4mh8cuRNaovl610e7fa5tNy3/8riYGcQ/0EJV4f4jc4Qw27iTvG2 +pCAihgawuLXiOwNSTMkxqL4CE+fb9yh6Oj8/6QpB6I6HiPw0RI1nkwXPbgfGUxd HQ4sl4Jg/arabgP/xb+1KnEdgagmFYM+0kd3m2ippmOZY9o3OPP/I55dzESzPDoZ IjnU8DAWPBmAhL0hCWDTcKnGeYcV5KMADKYZ7ZAG/Q62DEylMyEYpNwvNf9sQInD hJ5WlnvScgDKHMK0VlDOsCJlPBZvCwlco/s5WS+K5ZAfQ9e7I3OnxM+Wxg0lbEwI fiSJGceHcvkCUZBC4NvYtidyhnJUEok4vU3nxXl2/q9d9VVwdbTRKqRIWLbkxezD yhT0kZpkjNQL2elumI3z4iE2WzoZq2eqPlXafHVYs4HRPzrR8w9Uu5OS0Sjaw+aW 4JnxITel7Ufdhmm5w1ahMO6krb+EeuklNYvKWmP5C+4W8w8s0+kCZEpYJ935/kJX LqsTEuzc+AKljonxj9uraYx5Dq3X18989rHbkqwo1qEMFT3Rx3TTZ85l8DHk6Vj5 HDOxdxvDjHsloK5ZflV+5HDGthLiQLNfIxf76AbUBfi8Xfdg7Wt+fN25IG6dwxrQ tldA8sYeSyxRBDQq77qR6C/xrex4uW039winXTKWtVL0FONEFQ==
    =oT3D
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)