Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools

[Matthias Gerstner <mgerstner () suse de>]

Hi,

On Sun, Nov 26, 2023 at 11:38:50AM -0800, John Helmert III wrote:
> On Fri, Oct 27, 2023 at 11:57:46AM +0200, Matthias Gerstner wrote:
> > Hello list,
> >
> > I want to share my full report for this finding, please find it below.
> >
> > Introduction
> > ============
> >
> > During a routine review of the setuid-root binary
> > "vmware-user-suid-wrapper" from the open-vm-tools [1] repository I
> > discovered the vulnerability described in this report. The version under
> > review was open-vm-tools version 12.2.0. The setuid-root binary's source
> > code in the open-vm-tools repository did not change since version 10.3.0
> > (released in 2018), however, so likely most current installations of
> > open-vm-tools are affected by this finding.
>
> Hm, it looks like there *was* a commit to vmware-user-suid-wrapper
> that looks very similar to the patch that was linked in the original
> advisory mail:
>
> https://github.com/vmware/open-vm-tools/commit/63f7c79c4aecb14d37cc4ce9da509419e31d394f
>
> Was that fix insufficient, or maybe wasn't there when your mail was sent?

There seems to be a misunderstanding here. It seems I phrased that not
properly. I did not mean to say that the issue is unfixed. As the
initial email from VMware states there is a patch and bugfix release
available.

What I wanted to express is that all versions of open-vm-tools ranging
from 10.3.0 up until before the bugfix release are likely affected by
the issue.

Cheers

Matthias

Attachment: signature.asc
Description: