diff --git a/open-vm-tools.spec b/open-vm-tools.spec index 27b1be4..36597e5 100644 --- a/open-vm-tools.spec +++ b/open-vm-tools.spec @@ -18,10 +18,9 @@ ### Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ################################################################################ -%global _hardened_build 1 -%global majorversion 12.2 +%global majorversion 12.3 %global minorversion 5 -%global toolsbuild 21855600 +%global toolsbuild 22544099 %global toolsversion %{majorversion}.%{minorversion} %global toolsdaemon vmtoolsd %global vgauthdaemon vgauthd @@ -32,7 +31,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -44,18 +43,14 @@ Source3: run-vmblock\x2dfuse.mount Source4: open-vm-tools.conf Source5: vmtoolsd.pam - %if 0%{?rhel} >= 7 ExclusiveArch: x86_64 aarch64 %else ExclusiveArch: %{ix86} x86_64 aarch64 %endif -#Patch0: name.patch -# For bz#2236544 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-9] -Patch1: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch -# For RHEL-2446 - [RHEL9.3][ESXi]Latest version of open-vm-tools breaks VM backups -Patch2: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch +# Patches +#Patch0: .patch BuildRequires: autoconf BuildRequires: automake @@ -64,7 +59,12 @@ BuildRequires: make BuildRequires: gcc-c++ BuildRequires: doxygen # Fuse is optional and enables vmblock-fuse +# Switching Fedora to use fuse3. Red Hat to switch on their own schedule. +%if 0%{?fedora} || 0%{?rhel} > 8 +BuildRequires: fuse3-devel +%else BuildRequires: fuse-devel +%endif BuildRequires: glib2-devel >= 2.14.0 BuildRequires: libicu-devel BuildRequires: libmspack-devel @@ -91,7 +91,7 @@ BuildRequires: gtk3-devel >= 3.10.0 BuildRequires: gtkmm30-devel >= 3.10.0 BuildRequires: libtirpc-devel BuildRequires: rpcgen -BuildRequires: systemd-rpm-macros +BuildRequires: systemd-udev %else BuildRequires: gtk2-devel >= 2.4.0 BuildRequires: gtkmm24-devel @@ -99,7 +99,11 @@ BuildRequires: systemd %endif Requires: coreutils +%if 0%{?fedora} || 0%{?rhel} > 8 +Requires: fuse3 +%else Requires: fuse +%endif Requires: iproute Requires: grep Requires: pciutils @@ -412,7 +416,19 @@ fi %files test %{_bindir}/vmware-vgauth-smoketest + %changelog +* Thu Nov 09 2023 Miroslav Rezanina - 12.3.5-1 +- Rebase to 12.3.5-1 [RHEL-15058] +- Fixed CVE-2023-34058 [RHEL-14653] +- Fixed CVE-2023-34059 [RHEL-14687] +- Resolves: RHEL-15058 + ([ESXi][RHEL9]open-vm-tools version 12.3.5 has been released - please rebase) +- Resolves: RHEL-14653 + (CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-9.4.0]) +- Resolves: RHEL-14687 + (CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-9.4.0]) + * Fri Sep 22 2023 Miroslav Rezanina - 12.2.5-3 - ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [RHEL-2446] - Resolves: RHEL-2446 diff --git a/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch b/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch deleted file mode 100644 index 21e0842..0000000 --- a/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch +++ /dev/null @@ -1,426 +0,0 @@ -From 6b783bb35d6c860c809ad4e05ef9f5bf5ad81bcc Mon Sep 17 00:00:00 2001 -From: Katy Feng -Date: Tue, 22 Aug 2023 11:11:42 -0700 -Subject: [PATCH] Provide alternate method to allow (expected) pre-frozen - filesystems - -RH-Author: Ani Sinha -RH-MergeRequest: 5: Provide alternate method to allow (expected) pre-frozen filesystems when taking a quiesced snapshot. -RH-Jira: RHEL-2446 -RH-Acked-by: Cathy Avery -RH-Acked-by: Miroslav Rezanina -RH-Commit: [1/1] 02bb68525844635819d1f4745e606d7ae8519c6d (anisinha/centos-open-vm-tools) - -Effective with open-vm-tools 12.2.0, Linux quiesced snapshots will fail if -any filesystem(s) have been prefrozen by other than the vmtoolsd process. -This has been done to assure that filesystems are inactive while the -snapshots are being taken. Some existing prefreeze scripts may be freezing -some filesystem(s). In these cases, the vmtoolsd process must be informed of -anticipated pre-frozen filesystems by providing an "excludedFileSystem" list in -the [vmbackup] section of the tools.conf file. - -This change provides a new switch in the tools.conf file to allow pre-frozen -filesystems to be encountered and accepted when doing a quiesced snapshot -operation. With the default value of "false", the "ignoreFrozenFileSystems" -can be configured with a setting of "true" to notify the quiesced snapshot -operation that pre-frozen filesystems are allowed. - -(cherry picked from commit 60c3a80ddc2b400366ed05169e16a6bed6501da2) -Signed-off-by: Ani Sinha ---- - open-vm-tools/lib/include/syncDriver.h | 5 ++-- - open-vm-tools/lib/syncDriver/nullDriver.c | 10 +++++--- - open-vm-tools/lib/syncDriver/syncDriverInt.h | 14 +++++++---- - .../lib/syncDriver/syncDriverLinux.c | 25 ++++++++++++++----- - .../lib/syncDriver/syncDriverPosix.c | 7 +++--- - open-vm-tools/lib/syncDriver/vmSyncDriver.c | 10 +++++--- - .../services/plugins/vix/foundryToolsDaemon.c | 14 +++++++++-- - .../services/plugins/vmbackup/stateMachine.c | 8 ++++-- - .../services/plugins/vmbackup/syncDriverOps.c | 5 ++-- - .../services/plugins/vmbackup/vmBackupInt.h | 19 ++++++++------ - open-vm-tools/tools.conf | 23 +++++++++++++++++ - 11 files changed, 103 insertions(+), 37 deletions(-) - -diff --git a/open-vm-tools/lib/include/syncDriver.h b/open-vm-tools/lib/include/syncDriver.h -index 20712f66..8ef229d4 100644 ---- a/open-vm-tools/lib/include/syncDriver.h -+++ b/open-vm-tools/lib/include/syncDriver.h -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2005-2018 VMware, Inc. All rights reserved. -+ * Copyright (c) 2005-2018, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -51,7 +51,8 @@ typedef enum { - Bool SyncDriver_Init(void); - Bool SyncDriver_Freeze(const char *drives, Bool enableNullDriver, - SyncDriverHandle *handle, -- const char *excludedFileSystems); -+ const char *excludedFileSystems, -+ Bool ignoreFrozenFS); - Bool SyncDriver_Thaw(const SyncDriverHandle handle); - SyncDriverStatus SyncDriver_QueryStatus(const SyncDriverHandle handle, - int32 timeout); -diff --git a/open-vm-tools/lib/syncDriver/nullDriver.c b/open-vm-tools/lib/syncDriver/nullDriver.c -index 5e19e208..be96222a 100644 ---- a/open-vm-tools/lib/syncDriver/nullDriver.c -+++ b/open-vm-tools/lib/syncDriver/nullDriver.c -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. -+ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -54,8 +54,9 @@ NullDriverClose(SyncDriverHandle handle) - * - * Calls sync(). - * -- * @param[in] paths Unused. -- * @param[out] handle Where to store the operation handle. -+ * @param[in] paths Unused. -+ * @param[out] handle Where to store the operation handle. -+ * @param[in] ignoreFrozenFS Unused. - * - * @return A SyncDriverErr. - * -@@ -64,7 +65,8 @@ NullDriverClose(SyncDriverHandle handle) - - SyncDriverErr - NullDriver_Freeze(const GSList *paths, -- SyncDriverHandle *handle) -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFS) - { - /* - * This is more of a "let's at least do something" than something that -diff --git a/open-vm-tools/lib/syncDriver/syncDriverInt.h b/open-vm-tools/lib/syncDriver/syncDriverInt.h -index 04f37bf2..a5706298 100644 ---- a/open-vm-tools/lib/syncDriver/syncDriverInt.h -+++ b/open-vm-tools/lib/syncDriver/syncDriverInt.h -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved. -+ * Copyright (c) 2011-2017, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -41,7 +41,8 @@ typedef enum { - } SyncDriverErr; - - typedef SyncDriverErr (*SyncFreezeFn)(const GSList *paths, -- SyncDriverHandle *handle); -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFs); - - typedef struct SyncHandle { - SyncDriverErr (*thaw)(const SyncDriverHandle handle); -@@ -55,15 +56,18 @@ typedef struct SyncHandle { - #if defined(__linux__) - SyncDriverErr - LinuxDriver_Freeze(const GSList *userPaths, -- SyncDriverHandle *handle); -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFs); - - SyncDriverErr - VmSync_Freeze(const GSList *userPaths, -- SyncDriverHandle *handle); -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFs); - - SyncDriverErr - NullDriver_Freeze(const GSList *userPaths, -- SyncDriverHandle *handle); -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFs); - #endif - - #endif -diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c -index 6d9a3568..4581098e 100644 ---- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c -+++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c -@@ -199,8 +199,9 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) - * slow when guest is performing significant IO. Therefore, caller should - * consider running this function in a separate thread. - * -- * @param[in] paths List of paths to freeze. -- * @param[out] handle Handle to use for thawing. -+ * @param[in] paths List of paths to freeze. -+ * @param[out] handle Handle to use for thawing. -+ * @param[in] ignoreFrozenFS Switch to allow EBUSY error. - * - * @return A SyncDriverErr. - * -@@ -209,7 +210,8 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) - - SyncDriverErr - LinuxDriver_Freeze(const GSList *paths, -- SyncDriverHandle *handle) -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFS) - { - ssize_t count = 0; - Bool first = TRUE; -@@ -324,9 +326,12 @@ LinuxDriver_Freeze(const GSList *paths, - * Previously, an EBUSY error was ignored, assuming that we may try - * to freeze the same superblock more than once depending on the - * OS configuration (e.g., usage of bind mounts). -- * Using the filesystem Id to check if this is a filesystem that we -- * have seen previously and will ignore this FD only if that is -- * the case. Log a warning otherwise since the quiesced snapshot -+ * Use the filesystem Id to check if this filesystem has been -+ * handled before and, if so, ignore it. -+ * Alternatively, allow (ignore) the EBUSY if the -+ * "ignoreFrozenFileSystems" switch inside "vmbackup" section of -+ * tools.conf file is TRUE. -+ * Otherwise, log a warning as the quiesced snapshot - * attempt will fail. - */ - if (ioctlerr == EBUSY) { -@@ -339,6 +344,14 @@ LinuxDriver_Freeze(const GSList *paths, - */ - Debug(LGPFX "skipping path '%s' - previously frozen", path); - continue; -+ } else if (ignoreFrozenFS) { -+ /* -+ * Ignores the EBUSY error if the FS has been frozen by another -+ * process and the 'ignoreFrozenFileSystems' setting is -+ * turned on in tools.conf file. -+ */ -+ Debug(LGPFX "Ignoring the frozen filesystem '%s'",path); -+ continue; - } - /* - * It appears that this FS has been locked or frozen by another -diff --git a/open-vm-tools/lib/syncDriver/syncDriverPosix.c b/open-vm-tools/lib/syncDriver/syncDriverPosix.c -index 7b6132ba..27369639 100644 ---- a/open-vm-tools/lib/syncDriver/syncDriverPosix.c -+++ b/open-vm-tools/lib/syncDriver/syncDriverPosix.c -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2005-2019 VMware, Inc. All rights reserved. -+ * Copyright (c) 2005-2019, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -456,7 +456,8 @@ Bool - SyncDriver_Freeze(const char *userPaths, // IN - Bool enableNullDriver, // IN - SyncDriverHandle *handle, // OUT -- const char *excludedFileSystems) // IN -+ const char *excludedFileSystems, // IN -+ Bool ignoreFrozenFS) // IN - { - GSList *paths = NULL; - SyncDriverErr err = SD_UNAVAILABLE; -@@ -517,7 +518,7 @@ SyncDriver_Freeze(const char *userPaths, // IN - continue; - } - #endif -- err = freezeFn(paths, handle); -+ err = freezeFn(paths, handle, ignoreFrozenFS); - } - - /* -diff --git a/open-vm-tools/lib/syncDriver/vmSyncDriver.c b/open-vm-tools/lib/syncDriver/vmSyncDriver.c -index 2bd0e886..a0d4a315 100644 ---- a/open-vm-tools/lib/syncDriver/vmSyncDriver.c -+++ b/open-vm-tools/lib/syncDriver/vmSyncDriver.c -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. -+ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -91,8 +91,9 @@ VmSyncClose(SyncDriverHandle handle) - * Opens a description to the driver's proc node, and if successful, send an - * ioctl to freeze the requested filesystems. - * -- * @param[in] paths List of paths to freeze. -- * @param[out] handle Where to store the handle to use for thawing. -+ * @param[in] paths List of paths to freeze. -+ * @param[out] handle Where to store the handle to use for thawing. -+ * @param[in] ignoreFrozenFS Unused. - * - * @return A SyncDriverErr. - * -@@ -101,7 +102,8 @@ VmSyncClose(SyncDriverHandle handle) - - SyncDriverErr - VmSync_Freeze(const GSList *paths, -- SyncDriverHandle *handle) -+ SyncDriverHandle *handle, -+ Bool ignoreFrozenFS) - { - int file; - Bool first = TRUE; -diff --git a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c -index 7d45d3f5..079540f1 100644 ---- a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c -+++ b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2003-2021 VMware, Inc. All rights reserved. -+ * Copyright (c) 2003-2021, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -545,6 +545,8 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) - GKeyFile *confDictRef = ctx->config; - Bool enableNullDriver; - GSource *timer; -+ char *excludedFileSystems; -+ Bool ignoreFrozenFS; - - /* - * Parse the arguments -@@ -581,10 +583,18 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) - "vmbackup", - "enableNullDriver", - FALSE); -+ excludedFileSystems = VMTools_ConfigGetString(confDictRef, -+ "vmbackup", -+ "excludedFileSystems", -+ NULL); -+ ignoreFrozenFS = VMTools_ConfigGetBoolean(confDictRef, -+ "vmbackup", -+ "ignoreFrozenFileSystems", -+ FALSE); - - /* Perform the actual freeze. */ - if (!SyncDriver_Freeze(driveList, enableNullDriver, &gSyncDriverHandle, -- NULL) || -+ excludedFileSystems, ignoreFrozenFS) || - SyncDriver_QueryStatus(gSyncDriverHandle, INFINITE) != SYNCDRIVER_IDLE) { - g_warning("%s: Failed to Freeze drives '%s'\n", - __FUNCTION__, driveList); -diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c -index 99f52582..b04565d8 100644 ---- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c -+++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c -@@ -1073,9 +1073,13 @@ VmBackupStartCommon(RpcInData *data, - #if defined(__linux__) - gBackupState->excludedFileSystems = - VMBACKUP_CONFIG_GET_STR(ctx->config, "excludedFileSystems", NULL); -- g_debug("Using excludedFileSystems = \"%s\"\n", -+ gBackupState->ignoreFrozenFS = -+ VMBACKUP_CONFIG_GET_BOOL(ctx->config, "ignoreFrozenFileSystems", FALSE); -+ -+ g_debug("Using excludedFileSystems = \"%s\", ignoreFrozenFileSystems = %d\n", - (gBackupState->excludedFileSystems != NULL) ? -- gBackupState->excludedFileSystems : "(null)"); -+ gBackupState->excludedFileSystems : "(null)", -+ gBackupState->ignoreFrozenFS); - #endif - g_debug("Quiescing volumes: %s", - (gBackupState->volumes) ? gBackupState->volumes : "(null)"); -diff --git a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c -index cc01d294..a090ec72 100644 ---- a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c -+++ b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved. -+ * Copyright (C) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -276,7 +276,8 @@ VmBackupNewDriverOp(VmBackupState *state, // IN - useNullDriverPrefs ? - state->enableNullDriver : FALSE, - op->syncHandle, -- state->excludedFileSystems); -+ state->excludedFileSystems, -+ state->ignoreFrozenFS); - break; - case OP_THAW: - op->manifest = SyncNewManifest(state, *op->syncHandle); -diff --git a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h -index 0c912174..65e2e552 100644 ---- a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h -+++ b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h -@@ -1,5 +1,5 @@ - /********************************************************* -- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved. -+ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as published -@@ -100,18 +100,22 @@ struct VmBackupSyncCompleter; - * Don't modify the fields directly - rather, use VmBackup_SetCurrentOp, - * which does most of the handling needed by users of the state machine. - * -- * NOTE: The thread for freeze operation modifies currentOp in BackupState -- * which is also accessed by the AsyncCallback driving the state -- * machine (run by main thread). Also, gcc might generate two -- * instructions for writing a 64-bit value. Therefore, protect the -- * access to currentOp and related fields using opLock mutex. -+ * NOTE 1: The thread for freeze operation modifies currentOp in BackupState -+ * which is also accessed by the AsyncCallback driving the state -+ * machine (run by main thread). Also, gcc might generate two -+ * instructions for writing a 64-bit value. Therefore, protect the -+ * access to currentOp and related fields using opLock mutex. -+ * -+ * NOTE 2: Only used by Linux guests, ignored on Windows guests and is -+ * initialized to "false" when the VmBackupState is initialized -+ * at the start of a backup operation. - */ - - typedef struct VmBackupState { - ToolsAppCtx *ctx; - VmBackupOp *currentOp; - const char *currentOpName; -- GMutex opLock; // See note above -+ GMutex opLock; // See note 1 above - char *volumes; - char *snapshots; - guint pollPeriod; -@@ -127,6 +131,7 @@ typedef struct VmBackupState { - Bool allowHWProvider; - Bool execScripts; - Bool enableNullDriver; -+ Bool ignoreFrozenFS; // See note 2 above - Bool needsPriv; - gchar *scriptArg; - guint timeout; -diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf -index e5a03a9c..f238cb59 100644 ---- a/open-vm-tools/tools.conf -+++ b/open-vm-tools/tools.conf -@@ -395,6 +395,29 @@ - - #excludedFileSystems= - -+# Linux: -+# It is possible that filesystems are being frozen in pre-freeze scripts -+# to control the order in which those specific filesystems are to be frozen. -+# The vmtoolsd process must be informed of all such filesystems with the help -+# of "excludedFileSystems" setting of tools.conf. -+# -+# A temporary workaround is available (starting from 12.3.0) for admins to allow -+# quiesceing operation to succeed until the "excludedFileSystems" list -+# is configured. -+# -+# If another process thaws the file system while a quiescing operation -+# operation is ongoing, the snapshot may be compromised. Once the -+# "excludedFileSystems" list is configured this setting MUST be unset (or set -+# to false). -+# -+# The value of ignoreFrozenFileSystems is a true or false; the default is -+# false. -+# -+# Set to true to ignore pre-frozen file systems during the quiescing operation. -+# -+# ignoreFrozenFileSystems is Linux only (Not supported on Windows). -+#ignoreFrozenFileSystems=false -+ - # execScripts specifies whether to execute scripts as part of the quiescing - # operation. Scripts are executed from the scripts directory along with the - # legacy scripts. --- -2.39.3 - diff --git a/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch b/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch deleted file mode 100644 index e8b7790..0000000 --- a/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2dc6f33e455c7d0dceb2d444632b35806613c510 Mon Sep 17 00:00:00 2001 -From: Miroslav Rezanina -Date: Thu, 7 Sep 2023 02:27:50 -0400 -Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token - signature. - -RH-Author: Miroslav Rezanina -RH-Bugzilla: 2236544 -RH-CVE: CVE-2023-20900 - -Signed-off-by: Miroslav Rezanina ---- - open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -index f5541a9a..0b2a945b 100644 ---- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, - */ - bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); - if (bRet == FALSE) { -- g_warning("failed to register ID\n"); -+ g_warning("Failed to register ID\n"); -+ goto done; -+ } -+ -+ /* Use only X509 certs to validate the signature */ -+ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), -+ BAD_CAST xmlSecKeyDataX509Id) < 0) { -+ g_warning("Failed to limit allowed key data\n"); - goto done; - } - --- -2.39.3 - diff --git a/sources b/sources index f9368fe..0a2671d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (open-vm-tools-12.2.5-21855600.tar.gz) = 72db3b88f61624d26e8ff7e37e4fc52ecd0bec0b6f076d935870c03312321c5e0b406d05eae7012872734a50626ed760dff2cf872e26ec18ebf200aff5ed12ef +SHA512 (open-vm-tools-12.3.5-22544099.tar.gz) = 7a81d929ea4871b8af0af0fa3dc62a821ac4286235255103f1bcf014e3b04b5bbbfa178a9328a16d67cfd595c4ce726dc9e195adbe21ec5c68a4d1abb1561ff6