[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools
From:       Matthias Gerstner <mgerstner () suse ! de>
Date:       2023-11-27 9:01:16
Message-ID: ZWRa3EI5Oa-5621n () kasco ! suse ! de
[Download RAW message or body]


Hi,

On Sun, Nov 26, 2023 at 11:38:50AM -0800, John Helmert III wrote:
> On Fri, Oct 27, 2023 at 11:57:46AM +0200, Matthias Gerstner wrote:
> > Hello list,
> > 
> > I want to share my full report for this finding, please find it below.
> > 
> > Introduction
> > ============
> > 
> > During a routine review of the setuid-root binary
> > "vmware-user-suid-wrapper" from the open-vm-tools [1] repository I
> > discovered the vulnerability described in this report. The version under
> > review was open-vm-tools version 12.2.0. The setuid-root binary's source
> > code in the open-vm-tools repository did not change since version 10.3.0
> > (released in 2018), however, so likely most current installations of
> > open-vm-tools are affected by this finding.
> 
> Hm, it looks like there *was* a commit to vmware-user-suid-wrapper
> that looks very similar to the patch that was linked in the original
> advisory mail:
> 
> https://github.com/vmware/open-vm-tools/commit/63f7c79c4aecb14d37cc4ce9da509419e31d394f
> 
> Was that fix insufficient, or maybe wasn't there when your mail was sent?

There seems to be a misunderstanding here. It seems I phrased that not
properly. I did not mean to say that the issue is unfixed. As the
initial email from VMware states there is a patch and bugfix release
available.

What I wanted to express is that all versions of open-vm-tools ranging
from 10.3.0 up until before the bugfix release are likely affected by
the issue.

Cheers

Matthias

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]