-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1261
       VMware Movie Decoder, VMware Workstation, VMware Player, and
                    VMware ACE resolve security issues
                             7 September 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          VMware Workstation Movie Decoder stand alone 6.5.2 and earlier.
                  VMware Workstation 6.5.2 and earlier
                  VMware Player 2.5.2 and earlier
                  VMware ACE 2.5.2 and earlier
Publisher:        VMware
Operating System: Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2009-2628 CVE-2009-0199 

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2009-0012
Synopsis:          VMware Movie Decoder, VMware Workstation, VMware
                   Player, and VMware ACE resolve security issues.
Issue date:        2009-09-04
Updated on:        2009-09-04 (initial release of advisory)
CVE numbers:       CVE-2009-0199 CVE-2009-2628
- - ------------------------------------------------------------------------

1. Summary

   Several security issues are resolved with the latest VMnc codec.

2. Relevant releases

   VMware Workstation Movie Decoder stand alone 6.5.2 and earlier.
   VMware Workstation 6.5.2 and earlier,
   VMware Player 2.5.2 and earlier,
   VMware ACE 2.5.2 and earlier,

3. Problem Description

    Several security issues resolved with the latest VMnc codec.

    The VMware movie decoder contains the VMnc media codec that is
    required to play back movies recorded with VMware Workstation,
    VMware Player and VMware ACE, in any compatible media player. The
    movie decoder is installed as part of VMware Workstation, VMware
    Player and VMware ACE, or can be downloaded as a stand alone
    package.

    Several vulnerabilities in the VMnc codec can be exploited to cause
    heap-based buffer overflows via specially crafted video files
    containing incorrect framebuffer parameters.

    For an attack to be successful the user must be tricked into
    visiting a malicious web page or opening a malicious video file on
    a system that has the vulnerable version of the VMnc codec installed.

    VMware would like to thank Alin Rad Pop of Secunia Research and
    Will Dormann of the CERT/CC for reporting these issues and working
    with us on their remediation.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-0199 and CVE-2009-2628 to these
    issues.

    To remediate the above issues either install the stand alone movie
    decoder or update your product using the table below.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Movie Decoder  any       Windows  6.5.3 Build 185404 or later

    Workstation    6.5.x     Windows  6.5.3 build 185404 or later
    Workstation    6.5.x     Linux    not affected

    Player         2.5.x     Windows  2.5.3 build 185404 or later
    Player         2.5.x     Linux    not affected

    ACE            2.5.x     any      not affected

    Server         any       any      not affected

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


4. Solution
   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation Movie Decoder stand alone
   --------------------------------------------
   http://www.vmware.com/download/ws/drivers_tools.html

http://download3.vmware.com/software/wkst/VMware-moviedecoder-6.5.3-185404.exe
   md5sum: 2e9de20045c44bc1c03daa3e6fd9a611
   sha1sum: 9cd8f9578223310db988131885ffda6c9a4de873

   VMware Workstation 6.5.3
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html

   For Windows

   Workstation for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 7565d16b7d7e0173b90c3b76ca4656bc
   sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1

   For Linux

   Workstation for Linux 32-bit
   Linux 32-bit .rpm
   md5sum: 4d55c491bd008ded0ea19f373d1d1fd4
   sha1sum: 1f43131c960e76a530390d3b6984c78dfc2da23e

   Workstation for Linux 32-bit
   Linux 32-bit .bundle
   md5sum: d4a721c1918c0e8a87c6fa4bad49ad35
   sha1sum: c0c6f9b56e70bd3ffdb5467ee176110e283a69e5

   Workstation for Linux 64-bit
   Linux 64-bit .rpm
   md5sum: 72adfdb03de4959f044fcb983412ae7c
   sha1sum: ba16163c8d9b5aa572526b34a7b63dc6e68f9bbb

   Workstation for Linux 64-bit
   Linux 64-bit .bundle
   md5sum: 83e1f0c94d6974286256c4d3b559e854
   sha1sum: 8763f250a3ac5fc4698bd26319b93fecb498d542


   VMware Player 2.5.3
   -------------------
   http://www.vmware.com/download/player/
   Release notes:
   http://www.vmware.com/support/player25/doc/releasenotes_player253.html

   Player for Windows binary

http://download3.vmware.com/software/vmplayer/VMware-player-2.5.3-185404.exe
   md5sum: fe28f193374c9457752ee16cd6cad4e7
   sha1sum: 13bd3ff93c04fa272544d3ef6de5ae746708af04

   Player for Linux (.rpm)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i386.rpm
   md5sum: c99cd65f19fdfc7651bcb7f328b73bc2
   sha1sum: a33231b26e2358a72d16e1b4e2656a5873fe637e

   Player for Linux (.bundle)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i386.bundle
   md5sum: 210f4cb5615bd3b2171bc054b9b2bac5
   sha1sum: 2f6497890b17b37480165bab9f430e8645edae9b

   Player for Linux - 64-bit (.rpm)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x86_64.rpm
   md5sum: f91576ef90b322d83225117ae9335968
   sha1sum: f492fa9cf26ee2818f164aac04cde1680c25d974

   Player for Linux - 64-bit (.bundle)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x86_64.bundle
   md5sum: 595d44d7945c129b1aeb679d2f001b05
   sha1sum: acd69fcb0c6bc49fd4af748c65c7fb730ab1e8c4


   VMware ACE 2.5.3
   ----------------
   http://www.vmware.com/download/ace/
   Release notes:
   http://www.vmware.com/support/ace25/doc/releasenotes_ace253.html

   ACE Management Server Virtual Appliance
   AMS Virtual Appliance .zip
   md5sum: 44cc7b86353047f02cf6ea0653e38418
   sha1sum: 9f44b15e6681a6e58dd20784f829c68091a62cd1

   VMware ACE for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 0779da73408c5e649e0fd1c62d23820f
   sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef

   ACE Management Server for Windows
   Windows .exe
   md5sum: 0779da73408c5e649e0fd1c62d23820f
   sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef

   ACE Management Server for SUSE Enterprise Linux 9
   SLES 9 .rpm
   md5sum: a4fc92d7197f0d569361cdf4b8cca642
   sha1sum: af8a135cca398cacaa82c8c3c325011c6cd3ed75

   ACE Management Server for Red Hat Enterprise Linux 4
   RHEL 4 .rpm
   md5sum: 841005151338c8b954f08d035815fd58
   sha1sum: 67e48624dba20e6be9e41ec9a5aba407dd8cc01e


5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0199
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2628

- - ------------------------------------------------------------------------
6. Change log

2009-09-04  VMSA-2009-0012
Initial security advisory after release of Workstation Movie Decoder
on 2009-09-04.  The corresponding updated versions of Workstation,
Player and ACE were released on 2009-08-20.

- - ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFKoZjiS2KysvBH1xkRAsPVAJ9jafQ+8nUoPDY/X4ucNTquM+/2FgCeKbV8
rFTdyZEGAONjXelRNrRC07I=
=p+w/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKpGfdNVH5XJJInbgRAmPVAJwOqZ1nZrRfm2wIzdeMcuOs+fCNRQCeNkam
u/Fg0ohFuW79RMhW9JrogJo=
=M9sr
-----END PGP SIGNATURE-----