diff --git a/.gitignore b/.gitignore index 25ccab8..3fc404d 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /open-vm-tools-12.1.0-20219665.tar.gz /open-vm-tools-12.1.5-20735119.tar.gz /open-vm-tools-12.3.0-22234872.tar.gz +/open-vm-tools-12.3.5-22544099.tar.gz diff --git a/CVE-2023-34058.patch b/CVE-2023-34058.patch deleted file mode 100644 index 0fc34d7..0000000 --- a/CVE-2023-34058.patch +++ /dev/null @@ -1,237 +0,0 @@ -From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001 -From: John Wolfe -Date: Wed, 18 Oct 2023 09:04:07 -0700 -Subject: [PATCH] Address CVE-2023-34058 - -VGAuth: don't accept tokens with unrelated certs. - ---- - open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++++++++ - open-vm-tools/vgauth/common/certverify.h | 4 + - open-vm-tools/vgauth/common/prefs.h | 2 + - open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++ - 4 files changed, 165 insertions(+) - -diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c -index 0ed78ed..e1d7cc6 100644 ---- a/open-vm-tools/vgauth/common/certverify.c -+++ b/open-vm-tools/vgauth/common/certverify.c -@@ -914,3 +914,148 @@ done: - - return err; - } -+ -+ -+/* -+ * Finds a cert with a subject (if checkSubj is set) or issuer (if -+ * checkSUbj is unset), matching 'val' in the list -+ * of certs. Returns a match or NULL. -+ */ -+ -+static X509 * -+FindCert(GList *cList, -+ X509_NAME *val, -+ int checkSubj) -+{ -+ GList *l; -+ X509 *c; -+ X509_NAME *v; -+ -+ l = cList; -+ while (l != NULL) { -+ c = (X509 *) l->data; -+ if (checkSubj) { -+ v = X509_get_subject_name(c); -+ } else { -+ v = X509_get_issuer_name(c); -+ } -+ if (X509_NAME_cmp(val, v) == 0) { -+ return c; -+ } -+ l = l->next; -+ } -+ return NULL; -+} -+ -+ -+/* -+ ****************************************************************************** -+ * CertVerify_CheckForUnrelatedCerts -- */ /** -+ * -+ * Looks over a list of certs. If it finds that they are not all -+ * part of the same chain, returns failure. -+ * -+ * @param[in] numCerts The number of certs in the chain. -+ * @param[in] pemCerts The chain of certificates to verify. -+ * -+ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. -+ * -+ ****************************************************************************** -+ */ -+ -+VGAuthError -+CertVerify_CheckForUnrelatedCerts(int numCerts, -+ const char **pemCerts) -+{ -+ VGAuthError err = VGAUTH_E_FAIL; -+ int chainLen = 0; -+ int i; -+ X509 **certs = NULL; -+ GList *rawList = NULL; -+ X509 *baseCert; -+ X509 *curCert; -+ X509_NAME *subject; -+ X509_NAME *issuer; -+ -+ /* common single cert case; nothing to do */ -+ if (numCerts == 1) { -+ return VGAUTH_E_OK; -+ } -+ -+ /* convert all PEM to X509 objects */ -+ certs = g_malloc0(numCerts * sizeof(X509 *)); -+ for (i = 0; i < numCerts; i++) { -+ certs[i] = CertStringToX509(pemCerts[i]); -+ if (NULL == certs[i]) { -+ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); -+ goto done; -+ } -+ } -+ -+ /* choose the cert to start the chain. shouldn't matter which */ -+ baseCert = certs[0]; -+ -+ /* put the rest into a list */ -+ for (i = 1; i < numCerts; i++) { -+ rawList = g_list_append(rawList, certs[i]); -+ } -+ -+ /* now chase down to a leaf, looking for certs the baseCert issued */ -+ subject = X509_get_subject_name(baseCert); -+ while ((curCert = FindCert(rawList, subject, 0)) != NULL) { -+ /* pull it from the list */ -+ rawList = g_list_remove(rawList, curCert); -+ /* set up the next find */ -+ subject = X509_get_subject_name(curCert); -+ } -+ -+ /* -+ * walk up to the root cert, by finding a cert where the -+ * issuer equals the subject of the current -+ */ -+ issuer = X509_get_issuer_name(baseCert); -+ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { -+ /* pull it from the list */ -+ rawList = g_list_remove(rawList, curCert); -+ /* set up the next find */ -+ issuer = X509_get_issuer_name(curCert); -+ } -+ -+ /* -+ * At this point, anything on the list should be certs that are not part -+ * of the chain that includes the original 'baseCert'. -+ * -+ * For a valid token, the list should be empty. -+ */ -+ chainLen = g_list_length(rawList); -+ if (chainLen != 0 ) { -+ GList *l; -+ -+ g_warning("%s: %d unrelated certs found in list\n", -+ __FUNCTION__, chainLen); -+ -+ /* debug helper */ -+ l = rawList; -+ while (l != NULL) { -+ X509* c = (X509 *) l->data; -+ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); -+ -+ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); -+ free(s); -+ l = l->next; -+ } -+ -+ goto done; -+ } -+ -+ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); -+ err = VGAUTH_E_OK; -+ -+done: -+ g_list_free(rawList); -+ for (i = 0; i < numCerts; i++) { -+ X509_free(certs[i]); -+ } -+ g_free(certs); -+ return err; -+} -diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h -index d7c6410..f582bb8 100644 ---- a/open-vm-tools/vgauth/common/certverify.h -+++ b/open-vm-tools/vgauth/common/certverify.h -@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash, - size_t signatureLen, - const unsigned char *signature); - -+ -+VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, -+ const char **pemCerts); -+ - gchar * CertVerify_StripPEMCert(const gchar *pemCert); - - gchar * CertVerify_CertToX509String(const gchar *pemCert); -diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h -index ff11692..87ccc9b 100644 ---- a/open-vm-tools/vgauth/common/prefs.h -+++ b/open-vm-tools/vgauth/common/prefs.h -@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages - #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" - /** The number of seconds slack allowed in either direction in SAML token date checks. */ - #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" -+/** If unrelated certificates are allowed in a SAML token */ -+#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" - - /** Ticket group name. */ - #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" -diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -index 14cba1b..57e9316 100644 ---- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -@@ -49,6 +49,7 @@ - #include "vmxlog.h" - - static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; -+static gboolean gAllowUnrelatedCerts = FALSE; - static xmlSchemaPtr gParsedSchemas = NULL; - static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; - -@@ -369,6 +370,10 @@ LoadPrefs(void) - VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); - Log("%s: Allowing %d of clock skew for SAML date validation\n", - __FUNCTION__, gClockSkewAdjustment); -+ gAllowUnrelatedCerts = Pref_GetBool(gPrefs, -+ VGAUTH_PREF_ALLOW_UNRELATED_CERTS, -+ VGAUTH_PREF_GROUP_NAME_SERVICE, -+ FALSE); - } - - -@@ -1697,6 +1702,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, - return VGAUTH_E_AUTHENTICATION_DENIED; - } - -+ if (!gAllowUnrelatedCerts) { -+ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); -+ if (err != VGAUTH_E_OK) { -+ VMXLog_Log(VMXLOG_LEVEL_WARNING, -+ "Unrelated certs found in SAML token, failing\n"); -+ return VGAUTH_E_AUTHENTICATION_DENIED; -+ } -+ } -+ - subj.type = SUBJECT_TYPE_NAMED; - subj.name = *subjNameOut; - err = ServiceVerifyAndCheckTrustCertChainForSubject(num, --- -2.6.2 - diff --git a/CVE-2023-34059.patch b/CVE-2023-34059.patch deleted file mode 100644 index 2a667aa..0000000 --- a/CVE-2023-34059.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001 -From: John Wolfe -Date: Wed, 18 Oct 2023 09:11:54 -0700 -Subject: [PATCH] Address CVE-2023-34059 - -Fix file descriptor vulnerability in the open-vm-tools - vmware-user-suid-wrapper on Linux. - - Moving the privilege drop logic (dropping privilege to the real uid - and gid of the process for the vmusr service) from suidWrapper to - vmtoolsd code. - ---- - open-vm-tools/services/vmtoolsd/mainPosix.c | 76 +++++++++++++++++++++++++++ - open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++------- - 2 files changed, 79 insertions(+), 23 deletions(-) - -diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c -index fd2667c..8b46979 100644 ---- a/open-vm-tools/services/vmtoolsd/mainPosix.c -+++ b/open-vm-tools/services/vmtoolsd/mainPosix.c -@@ -28,10 +28,12 @@ - #include - #include - #include -+#include - #include - #include "file.h" - #include "guestApp.h" - #include "hostinfo.h" -+#include "su.h" - #include "system.h" - #include "unicode.h" - #include "util.h" -@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state, - - - /** -+ * Tools function to set close-on-exec flg for the fd. -+ * -+ * @param[in] fd open file descriptor. -+ * -+ * @return TRUE on success, FALSE otherwise. -+ */ -+ -+static gboolean -+ToolsSetCloexecFlag(int fd) -+{ -+ int flags; -+ -+ if (fd == -1) { -+ /* fd is not present, no need to manipulate */ -+ return TRUE; -+ } -+ -+ flags = fcntl(fd, F_GETFD, 0); -+ if (flags < 0) { -+ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno); -+ return FALSE; -+ } -+ flags |= FD_CLOEXEC; -+ if (fcntl(fd, F_SETFD, flags) < 0) { -+ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ -+ -+/** -+ * Tools function to close the fds. -+ */ -+ -+static void -+ToolsCloseFds(void) -+{ -+ if (gState.ctx.blockFD != -1) { -+ close(gState.ctx.blockFD); -+ } -+ -+ /* -+ * uinputFD will be available only for wayland. -+ */ -+ if (gState.ctx.uinputFD != -1) { -+ close(gState.ctx.uinputFD); -+ } -+} -+ -+ -+/** - * Tools daemon entry function. - * - * @param[in] argc Argument count. -@@ -210,6 +265,27 @@ main(int argc, - g_free(argvCopy); - argvCopy = NULL; - -+ /* -+ * Drops privilege to the real uid and gid of the process -+ * for the "vmusr" service. -+ */ -+ if (TOOLS_IS_USER_SERVICE(&gState)) { -+ uid_t uid = getuid(); -+ gid_t gid = getgid(); -+ -+ if ((Id_SetREUid(uid, uid) != 0) || -+ (Id_SetREGid(gid, gid) != 0)) { -+ g_printerr("could not drop privileges: %s", strerror(errno)); -+ ToolsCloseFds(); -+ goto exit; -+ } -+ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) || -+ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) { -+ ToolsCloseFds(); -+ goto exit; -+ } -+ } -+ - if (gState.pidFile != NULL) { - /* - * If argv[0] is not an absolute path, make it so; all other path -diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c -index e9d7e50..a19af53 100644 ---- a/open-vm-tools/vmware-user-suid-wrapper/main.c -+++ b/open-vm-tools/vmware-user-suid-wrapper/main.c -@@ -156,8 +156,7 @@ MaskSignals(void) - * - * Obtains the library directory from the Tools locations database, then - * opens a file descriptor (while still root) to add and remove blocks, -- * drops privilege to the real uid of this process, and finally starts -- * vmware-user. -+ * and finally starts vmware-user. - * - * Results: - * Parent: TRUE on success, FALSE on failure. -@@ -173,8 +172,6 @@ static Bool - StartVMwareUser(char *const envp[]) - { - pid_t pid; -- uid_t uid; -- gid_t gid; - int blockFd = -1; - char blockFdStr[8]; - int uinputFd = -1; -@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[]) - } - - /* -- * Now create a child process, obtain a file descriptor as root, downgrade -- * privilege, and run vmware-user. -+ * Now create a child process, obtain a file descriptor as root and -+ * run vmware-user. - */ - pid = fork(); - if (pid == -1) { -@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[]) - } - } - -- uid = getuid(); -- gid = getgid(); -- -- if ((setreuid(uid, uid) != 0) || -- (setregid(gid, gid) != 0)) { -- Error("could not drop privileges: %s\n", strerror(errno)); -- if (blockFd != -1) { -- close(blockFd); -- } -- if (useWayland) { -- if (uinputFd != -1) { -- close(uinputFd); -- } -- } -- return FALSE; -- } -- - /* - * Since vmware-user provides features that don't depend on vmblock, we - * invoke vmware-user even if we couldn't obtain a file descriptor or we --- -2.6.2 - diff --git a/open-vm-tools.spec b/open-vm-tools.spec index d163e62..56878ee 100644 --- a/open-vm-tools.spec +++ b/open-vm-tools.spec @@ -19,8 +19,8 @@ ################################################################################ %global majorversion 12.3 -%global minorversion 0 -%global toolsbuild 22234872 +%global minorversion 5 +%global toolsbuild 22544099 %global toolsversion %{majorversion}.%{minorversion} %global toolsdaemon vmtoolsd %global vgauthdaemon vgauthd @@ -31,7 +31,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPL-2.0 AND W3C AND LGPL-2.1 AND ICU AND ISC AND MIT URL: https://github.com/vmware/%{name} @@ -51,8 +51,6 @@ ExclusiveArch: %{ix86} x86_64 aarch64 # Patches #Patch0: .patch -Patch1: CVE-2023-34058.patch -Patch2: CVE-2023-34059.patch BuildRequires: autoconf BuildRequires: automake @@ -420,6 +418,14 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Wed Nov 8 2023 John Wolfe - 12.3.5-1 +- Package new upstream version of open-vm-tools-12.3.5-22544099. + . fix for CVE-2023-34058 - another SAML token signature bypass vulnerability. + . fix for CVE-2023-34059 - a file descriptor hijack vulnerability in the + vmware-user-suid-wrapper. + . address https://github.com/vmware/open-vm-tools/issues/310 +- Remove CVE-2023-34058.patch and CVE-2023-34059.patch as no longer needed. + * Mon Oct 30 2023 John Wolfe - 12.3.0-3 - Address CVE-2023-34058 - BZ 2246963 - SAML token signature token bypass. - Address CVE-2023-34059 - BZ 2246962 - vmware-user-suid-wrapper diff --git a/sources b/sources index 67891f3..0a2671d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (open-vm-tools-12.3.0-22234872.tar.gz) = 942be3c225d5724e236959dc0d422358b99d2844ed8f1c2d2ca06ea5959c12b1a5ac4fa47ee48c27d1c1291f6d783d1cf87303bf64b8117fd96f226ae4d632e5 +SHA512 (open-vm-tools-12.3.5-22544099.tar.gz) = 7a81d929ea4871b8af0af0fa3dc62a821ac4286235255103f1bcf014e3b04b5bbbfa178a9328a16d67cfd595c4ce726dc9e195adbe21ec5c68a4d1abb1561ff6