-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2007-0002 Synopsis: VMware ESX server security updates Issue date: 2007-03-29 Updated on: 2007-03-29 CVE numbers: CVE-2006-3739 CVE-2006-3740 CVE-2006-6097 CVE-2006-4334 CVE-2006-4338 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 - ------------------------------------------------------------------- 1. Summary: Updated ESX Patches address several security issues. 2. Relevant releases: VMware ESX 3.0.1 without patches ESX-5031800, ESX-5885387, ESX-6856573 VMware ESX 3.0.0 without patches ESX-3003211, ESX-3194055, ESX-3496682 VMware ESX 2.5.4 prior to upgrade patch 5 (Build# 39751) VMware ESX 2.5.3 prior to upgrade patch 8 (Build# 39683) VMware ESX 2.1.3 prior to upgrade patch 5 (Build# 39687) VMware ESX 2.0.2 prior to upgrade patch 5 (Build# 39682) 3. Problem description: Problems addressed by these patches: a. XFree86 update (CVE-2006-3739, CVE-2006-3740): ESX 3.0.1: does not have this problem ESX 3.0.0: does not have this problem ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682) A security issue with integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server may allow local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics, which could lead to a heap-based buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3739 to this issue. A security issue with integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server may allow local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3740 to this issue. b. GNU tar update (CVE-2006-6097): ESX 3.0.1: corrected by patch ESX-5031800 ESX 3.0.0: corrected by patch ESX-3003211 ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682) A security issue with GNU tar 1.16 and 1.15.1, and possibly other versions, may be able to trick tar into creating and following a symbolic link, potentially overwriting files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-6097 to this issue. c. GNU gzip update (CVE-2006-4334, CVE-2006-4338, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) ESX 3.0.1: corrected by patch ESX-5885387 ESX 3.0.0: corrected by patch ESX-3194055 ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682) Tavis Ormandy of the Google Security Team discovered several denial of service flaws and code execution flaws in the way gzip expanded archive files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2006-4334, CVE-2006-4338, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337 to this issue. d. VMware update to protect against guest kernel memory corruption and possible denial of service in the guest OS. Including syscall instruction handling and unexpected panic message in 64-bit virtual machines. ESX 3.0.1: corrected by patch ESX-6856573 ESX 3.0.0: corrected by patch ESX-3496682 ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682) 4. Solution: Please review the Patch notes for your version of ESX and verify the md5sum of your downloaded file. ESX 3.0.1 http://www.vmware.com/support/vi3/doc/esx-5031800-patch.html md5sum c266474de27c569631b93bf566ad74f2 ESX-5031800.tgz http://www.vmware.com/support/vi3/doc/esx-5885387-patch.html md5sum 423e29b266f0d3181f2211dc6679b63e ESX-5885387.tgz http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html md5sum 16bb030929bb005fe26c09f637cb9cd8 ESX-6856573.tgz ESX 3.0.0 http://www.vmware.com/support/vi3/doc/esx-3003211-patch.html md5sum 846fb515a9786646dc886cef8f09eac0 ESX-3003211.tgz http://www.vmware.com/support/vi3/doc/esx-3194055-patch.html md5sum db07e1cc41b715209034f15910c9847f ESX-3194055.tgz http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html md5sum 929c6830a4cdc939b0b2a35e83e3b1ac ESX-3496682.tgz ESX 2.5.4 http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html md5sum: 70006981fcdc6708bc08515400855a68 ESX 2.5.3 http://www.vmware.com/support/esx25/doc/esx-253-200702-patch.html md5sum: 19b874bf983b176dc3fc733325e807dc ESX 2.1.3 http://www.vmware.com/support/esx21/doc/esx-213-200702-patch.html md5sum: c74b64a4f936f605e98eada10a3fc1ae ESX 2.0.2 http://www.vmware.com/support/esx2/doc/esx-202-200702-patch.html md5sum: 23258490ad68bc3fe94c7cd30fc1aee2 5. References: Patch URL:http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html Patch URL:http://www.vmware.com/support/esx25/doc/esx-253-200702-patch.html Patch URL:http://www.vmware.com/support/esx21/doc/esx-213-200702-patch.html Patch URL:http://www.vmware.com/support/esx2/doc/esx-202-200702-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-5031800-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-5885387-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-3003211-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-3194055-patch.html Patch URL:http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html Knowledge base URL:http://kb.vmware.com/kb/5031800 Knowledge base URL:http://kb.vmware.com/kb/5885387 Knowledge base URL:http://kb.vmware.com/kb/6856573 Knowledge base URL:http://kb.vmware.com/kb/3003211 Knowledge base URL:http://kb.vmware.com/kb/3194055 Knowledge base URL:http://kb.vmware.com/kb/3496682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 6. Contact: E-mail: security@vmware.com http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html Copyright 2007 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGDHdX6KjQhy2pPmkRCLoBAJ9bOZkAxTsq6cJxQeZee471nNxWzQCfanj3 boDofxC/Ruj17vUFQbPGj5c= =CABd -----END PGP SIGNATURE-----