This advisory was made on 06/21/99 and was to be released on 06/28/99 (or
after a fix was released). We would like to recognize the VMware staff and
their responsiveness to the bug reports.  Last night, customers who
purchased their product received notices to upgrade to VMware v1.0.2.

For more information on the VMware bugs, visit:

http://www.vmware.com/news/security.html
http://www.cyberspace2000.com/security/advisories

-Don Sausa

----------[asylum security]------------
id: #99021, team director
e-mail: don@cyberspace2000.com
web: http://cyberspace2000.com/security
---------------------------------------


Team Asylum Security
Copyright (c) 1999 By CyberSpace 2000
http://www.cyberspace2000.com/security
Source: Seth L. [seth@cyberspace2000.com]
Advisory Date: 06/21/99
Release Date: 06/28/99

[ Final Revision: 06/25/99 ]

Affected
--------
VMware v1.0.1 and earlier for Linux.

Product Description
-------------------
VMware v1.0.1 is a software product by VMware, Inc. that creates a
virtual machine in which you can install multiple operating systems
without repartitioning or formatting your hard drive.

Vulnerability Summary
---------------------
Team Asylum has found multiple buffer overflows existing in VMware v1.0.1
for Linux.  Earlier versions also have the same buffer overflows.
VMware Inc. has been notified of these overflows and they have released
VMware v1.0.2 as a fix.  Any local user can exploit these overflows to gain
root access.

Fix
---
All users are encouraged to upgrade to VMware v1.0.2.  You may download
it directly off http://www.vmware.com.

Special Thanks
--------------
Special thanks to VMware staff for responding quickly to our bug reports.
Within 3 days, they have managed to fix the overflows, as well as stop the
physical distribution of their v1.0.1 product.  All customers who have
purchased VMware have been notified as of 06/25/99 12:00 midnight (PST)
about the new VMware v1.0.2 version.