[Vmware-package-maintainers] Bug#484491: CVE-2008-2098: buffer overflow allows arbitrary code execution

Robert Edmonds edmonds at debian.org
Wed Jun 4 15:46:45 UTC 2008


severity 484491 normal
thanks

Steffen Joeris wrote:
> Package: vmware-package
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi
> 
> The following CVE[0] has been issued against vmware products.

hi,

vmware-package is a script which builds .debs from vmware tarballs; even
if vmware-package is updated in the debian archive, it is incumbent upon
individual sysadmins to download new tarballs from vmware.com and update
their installations, since the vmware-package package does not do any
automatic downloading/installation (indeed, one can install the
generated debs on systems which don't even have vmware-package
installed).

I will upload a vmware-package with updated hashes for these new point
releases shortly; in the mean time, the '-s' option to make-vmpkg will
(probably, I haven't tested; but all vmware point releases so far have
not introduced changes requiring more advanced updates than updating the
hashes at the beginning of the make-vmpkg script) build .debs from the
new vmware tarballs.

-- 
Robert Edmonds
edmonds at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/vmware-package-maintainers/attachments/20080604/092e7ea6/attachment.pgp 


More information about the Vmware-package-maintainers mailing list