forked from rpms/open-vm-tools
import open-vm-tools-12.1.5-1.el9_2.1
This commit is contained in:
parent
9dea3b1658
commit
31232e0c84
167
SOURCES/ovt-Remove-some-dead-code.patch
Normal file
167
SOURCES/ovt-Remove-some-dead-code.patch
Normal file
@ -0,0 +1,167 @@
|
|||||||
|
From 1b4d9bf7319862558abca4dc842a69a2f91c835e Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Wolfe <jwolfe@vmware.com>
|
||||||
|
Date: Mon, 8 May 2023 19:04:57 -0700
|
||||||
|
Subject: [PATCH] Remove some dead code.
|
||||||
|
|
||||||
|
RH-Author: Ani Sinha <None>
|
||||||
|
RH-MergeRequest: 21: Remove some dead code.
|
||||||
|
RH-Bugzilla: 2217081
|
||||||
|
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
RH-Commit: [1/1] 8fa7cae2635fe32483bd1400df4014d01088f9d9
|
||||||
|
|
||||||
|
Address CVE-2023-20867.
|
||||||
|
Remove some authentication types which were deprecated long
|
||||||
|
ago and are no longer in use. These are dead code.
|
||||||
|
|
||||||
|
Cherry-picked from https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
|
||||||
|
|
||||||
|
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||||
|
---
|
||||||
|
open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
|
||||||
|
1 file changed, 102 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
|
||||||
|
index 34f3125d..0789d6a5 100644
|
||||||
|
--- a/open-vm-tools/services/plugins/vix/vixTools.c
|
||||||
|
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
|
||||||
|
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
|
||||||
|
#define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
|
||||||
|
#define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
|
||||||
|
|
||||||
|
-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* The switch that controls all APIs
|
||||||
|
*/
|
||||||
|
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
|
||||||
|
|
||||||
|
void GuestAuthUnimpersonate();
|
||||||
|
|
||||||
|
-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
|
||||||
|
- const char *typeName);
|
||||||
|
-
|
||||||
|
#if SUPPORT_VGAUTH
|
||||||
|
|
||||||
|
VGAuthError TheVGAuthContext(VGAuthContext **ctx);
|
||||||
|
@@ -7913,29 +7908,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
|
||||||
|
userToken);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- case VIX_USER_CREDENTIAL_ROOT:
|
||||||
|
- {
|
||||||
|
- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
|
||||||
|
- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
|
||||||
|
- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
|
||||||
|
- /*
|
||||||
|
- * Don't accept hashed shared secret if disabled.
|
||||||
|
- */
|
||||||
|
- g_message("%s: Requested authentication type has been disabled.\n",
|
||||||
|
- __FUNCTION__);
|
||||||
|
- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- // fall through
|
||||||
|
-
|
||||||
|
- case VIX_USER_CREDENTIAL_CONSOLE_USER:
|
||||||
|
- err = VixToolsImpersonateUserImplEx(NULL,
|
||||||
|
- credentialType,
|
||||||
|
- NULL,
|
||||||
|
- loadUserProfile,
|
||||||
|
- userToken);
|
||||||
|
- break;
|
||||||
|
case VIX_USER_CREDENTIAL_NAME_PASSWORD:
|
||||||
|
case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
|
||||||
|
case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
|
||||||
|
@@ -8104,36 +8076,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * If the VMX asks to be root, then we allow them.
|
||||||
|
- * The VMX will make sure that only it will pass this value in,
|
||||||
|
- * and only when the VM and host are configured to allow this.
|
||||||
|
- */
|
||||||
|
- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
|
||||||
|
- && (thisProcessRunsAsRoot)) {
|
||||||
|
- *userToken = PROCESS_CREATOR_USER_TOKEN;
|
||||||
|
-
|
||||||
|
- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
|
||||||
|
- err = VIX_OK;
|
||||||
|
- goto quit;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * If the VMX asks to be root, then we allow them.
|
||||||
|
- * The VMX will make sure that only it will pass this value in,
|
||||||
|
- * and only when the VM and host are configured to allow this.
|
||||||
|
- *
|
||||||
|
- * XXX This has been deprecated XXX
|
||||||
|
- */
|
||||||
|
- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
|
||||||
|
- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
|
||||||
|
- *userToken = PROCESS_CREATOR_USER_TOKEN;
|
||||||
|
-
|
||||||
|
- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
|
||||||
|
- err = VIX_OK;
|
||||||
|
- goto quit;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* If the VMX asks us to run commands in the context of the current
|
||||||
|
* user, make sure that the user who requested the command is the
|
||||||
|
@@ -10814,50 +10756,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- *-----------------------------------------------------------------------------
|
||||||
|
- *
|
||||||
|
- * VixToolsCheckIfAuthenticationTypeEnabled --
|
||||||
|
- *
|
||||||
|
- * Checks to see if a given authentication type has been
|
||||||
|
- * disabled via the tools configuration.
|
||||||
|
- *
|
||||||
|
- * Return value:
|
||||||
|
- * TRUE if enabled, FALSE otherwise.
|
||||||
|
- *
|
||||||
|
- * Side effects:
|
||||||
|
- * None
|
||||||
|
- *
|
||||||
|
- *-----------------------------------------------------------------------------
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
-static Bool
|
||||||
|
-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
|
||||||
|
- const char *typeName) // IN
|
||||||
|
-{
|
||||||
|
- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
|
||||||
|
- gboolean disabled;
|
||||||
|
-
|
||||||
|
- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
|
||||||
|
- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
|
||||||
|
- typeName);
|
||||||
|
-
|
||||||
|
- ASSERT(confDictRef != NULL);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * XXX Skip doing the strcmp() to verify the auth type since we only
|
||||||
|
- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
|
||||||
|
- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
|
||||||
|
- */
|
||||||
|
- disabled = VMTools_ConfigGetBoolean(confDictRef,
|
||||||
|
- VIX_TOOLS_CONFIG_API_GROUPNAME,
|
||||||
|
- authnDisabledName,
|
||||||
|
- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
|
||||||
|
-
|
||||||
|
- return !disabled;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
*-----------------------------------------------------------------------------
|
||||||
|
*
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
Name: open-vm-tools
|
Name: open-vm-tools
|
||||||
Version: %{toolsversion}
|
Version: %{toolsversion}
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}.1
|
||||||
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
|
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: https://github.com/vmware/%{name}
|
URL: https://github.com/vmware/%{name}
|
||||||
@ -52,6 +52,7 @@ ExclusiveArch: %{ix86} x86_64 aarch64
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
#Patch0: name.patch
|
#Patch0: name.patch
|
||||||
|
Patch1: ovt-Remove-some-dead-code.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -409,6 +410,11 @@ fi
|
|||||||
%files test
|
%files test
|
||||||
%{_bindir}/vmware-vgauth-smoketest
|
%{_bindir}/vmware-vgauth-smoketest
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 26 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.1.5-1.el9_2.1
|
||||||
|
- ovt-Remove-some-dead-code.patch [bz#2217081]
|
||||||
|
- Resolves: bz#2217081
|
||||||
|
([CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-9.2.0.z])
|
||||||
|
|
||||||
* Fri Dec 09 2022 Miroslav Rezanina <mrezanin@redhat.com> - 12.1.5-1
|
* Fri Dec 09 2022 Miroslav Rezanina <mrezanin@redhat.com> - 12.1.5-1
|
||||||
- Rebase to open-vm-tools 12.1.5 [bz#2150190]
|
- Rebase to open-vm-tools 12.1.5 [bz#2150190]
|
||||||
- Resolves: bz#2150190
|
- Resolves: bz#2150190
|
||||||
|
Loading…
Reference in New Issue
Block a user