=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN184
_____________________________________________________________________

DATE                      : 05/04/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running VMware ESX 3.0.1, VMware ESX 3.0.0.

======================================================================

- - -------------------------------------------------------------------
                    VMware Security Advisory

Advisory ID:       VMSA-2007-0003
Synopsis:          VMware ESX 3.0.1 and 3.0.0 server security updates
Issue date:        2007-04-02
Updated on:        2007-04-02
CVE numbers:       CVE-2005-3011 CVE-2006-4810 CVE-2007-1270
                    CVE-2007-1271 CVE-2005-2096 CVE-2005-1849
                    CVE-2003-0107 CVE-2005-1704
- - -------------------------------------------------------------------

1. Summary:

ESX 3.0.1 and 3.0.0 patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patches ESX-2559638, ESX-1161870, ESX-3416571,
ESX-5011126, ESX-7737432, ESX-7780490, ESX-8174018, ESX-8852210,
ESX-9617902,
ESX-9916286

VMware ESX 3.0.0 without patches ESX-1121906, ESX-131737, ESX-1870154,
ESX-392718, ESX-4197945, ESX-4921691, ESX-5752668, ESX-7052426, ESX-3616065

3. Problem description:

Problems addressed by these patches:

a.   texinfo service console update

      Updated texinfo packages for the service console fix two security
      vulnerabilities are now available.  A buffer overflow in the the
      program texinfo could allow local user to execute arbitrary code in
      the service console via a crafted texinfo file.  And could allow a
      local user to overwrite arbitrary files via a symlink attack on
      temporary files.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2005-3011 and CVE-2006-4810 to these
      issues.

      ESX 301 Download Patch ESX-2559638
      ESX 300 Download Patch ESX-1121906

b.   This bundle is a group of patches to resolve two possible security
issues.

      They are as follows:
      A VMware internal security audit revealed a double free condition.
      It may be possible for an attacker to influence the operation of
      the system. In most circumstances, this influence will be limited
      to denial of service or information leakage, but it is
      theoretically possible for an attacker to insert arbitrary code
      into a running program. This code would be executed with the
      permissions of the vulnerable program.  There are no known exploits
      for this issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2007-1270 to this issue.

      A VMware internal security audit revealed a potential buffer
      overflow condition. There are no known vulnerabilities, but such
      vulnerabilities may be used to elevate privileges or to crash the
      application and thus cause a denial of service.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2007-1271 to this issue.

      The following patches are contained within this bundle:

      ESX 301                      ESX 300
      -------                     --------
      ESX-1161870                  ESX-131737
      ESX-3416571                  ESX-1870154
      ESX-5011126                  ESX-392718
      ESX-7737432                  ESX-4197945
      ESX-7780490                  ESX-4921691
      ESX-8174018                  ESX-5752668
      ESX-8852210                  ESX-7052426
      ESX-9617902                  ESX-9976400

      ESX 301 Download Patch Bundle ESX-6431040
      ESX 300 Download Patch Bundle ESX-5754280

c.   This patch updates internally used zlib libraries in order to
      address potential security issues with older versions of this
      library.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2005-2096, CVE-2005-1849, CVE-2003-0107
      to these issues.

      ESX 301 Download Patch ESX-9916286
      ESX 300 Download Patch ESX-3616065

d.  binutils service console update

      NOTE: This vulnerability and update only apply to ESX 3.0.0.

      A integer overflow in the Binary File Descriptor (BFD) library for
      the GNU Debugger before version 6.3, binutils, elfutils, and
      possibly other packages, allows user-assisted attackers to execute
      arbitrary code via a crafted object file that specifies a large
      number of section headers, leading to a heap-based buffer overflow.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2005-1704 to this issue.

      ESX 300 Download Patch ESX-55052

4. Solution:

Please review the Patch notes for your version of ESX and verify the
md5sum of your downloaded file.

   ESX 3.0.1
   http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
   md5sum 9ee9d9769dfe2668aa6a4be2df284ea6

   http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
   md5sum ef6bc745b3d556e0736fd39b8ddc8087

   http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
   md5sum 7b98cfe1b2e0613c368d4080dcacccb8

   ESX 3.0.0
   http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
   md5sum 8d45e36ec997707ebe68d84841026fef

   http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
   md5sum 02c5bcccea156dd0db93177e5e3fab8b

   http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
   md5sum 90e4face2edaab07080531a37a49ec01

   http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
   md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

5. References:

   ESX 3.0.1

Patch URL:http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
Knowledge base URL:http://kb.vmware.com/kb/2559638
Knowledge base URL:http://kb.vmware.com/kb/6431040
Knowledge base URL:http://kb.vmware.com/kb/9916286

   ESX 3.0.0

Patch URL:http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
Knowledge base URL:http://kb.vmware.com/kb/55052
Knowledge base URL:http://kb.vmware.com/kb/1121906
Knowledge base URL:http://kb.vmware.com/kb/3616065
Knowledge base URL:http://kb.vmware.com/kb/55052


   CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1704

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2007 VMware Inc. All rights reserved.

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================