ESX Server 3.0.2, Patch ESX-1008406: Security Update for Service Console Vim RPM (1008406)
- Several input flaws were found in Visual editor IMproved's (Vim) keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue.
- A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name, when opened by Vim causes the application to stop responding or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue.
- Several input flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue.
- A format string flaw was discovered in Vim's help tag processor. If a user was tricked into executing the "helptags" command on malicious data, arbitrary code could be executed with the permissions of the user running VIM. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue.
Download patch ESX-1008406 from http://www.vmware.com/download/vi/vi3_patches.html .
Log in to the ESX Server service console as root.
Create a local depot directory.
# mkdir -p /var/updates
Note: VMware recommends that you use the updates directory.
Change your working directory to /var/updates.
# cd /var/updates
Download the tar file into the /var/updates directory.
Verify the integrity of the downloaded tar file:
# md5sum ESX-1008406.tgz
The md5 checksum output should match the following:
Extract the compressed tar archive:
# tar -xvzf ESX-1008406.tgz
Change to the newly created directory, /var/updates/ESX-1008406:
# cd ESX-1008406
After you download and extract the archive, and if you are in the directory that you previously created, use the following command to install the update:
# esxupdate update
To run esxupdate from a different directory, you must specify the bundle path in the command:
# esxupdate -r file://<directory>/ESX-1008406 update
For example, if the host is called depot:
# esxupdate -r file:///depot/var/updates/ESX-1008406 update
During the update process, logs appear on the terminal. You can specify the verbosity of esxupdate logs by using the -v option as shown, below.
# esxupdate -v 10 file://<directory>/ESX-1008406 update
For more information on how to use esxupdate, see the Patch Management for ESX Server 3 tech note at http://www.vmware.com/pdf/esx3_esxupdate.pdf.