Carousel is a LIE!

Oh,_man

17 Feb 2005

title: Oh, man date: 2005-02-17 20:01:24

From Gentoo's security advisory:

Synopsis VMware may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code. 2. Impact Information Background VMware Workstation is a powerful virtual machine for developers and system administrators. Description Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that VMware Workstation searches for gdk-pixbuf loadable modules in an untrusted, world-writable directory. Impact A local attacker could create a malicious shared object that would be loaded by VMware, resulting in the execution of arbitrary code with the privileges of the user running VMware. 3. Resolution Information Workaround The system administrator may create the file /tmp/rrdharan to prevent malicious users from creating a directory at that location.

And sure enough, a quick Google for VMware and rrdharran turns up the guy's profile on their support forums, where he's listed as a developer. I'd laugh, but this just makes me paranoid about what I might miss...

Tags:

1 Comment

From: the life of a sysadmin » Toys, Freedom, Technocracy
20-April-2005-06:16:05

[...] automated install (which is my next goal after automated patch management). Aside from the little oops (and hey, it’s beta), I’ve got no complaints at all about VMware as a prog [...]

Add a comment:

Name and email required; email is not displayed.

Name (required)
Email (required)
Website
The site is named after Saint ________ the Carpeted: (required)
Comment

Related Posts