diff --git a/.gitignore b/.gitignore index f1ea39d..726ec59 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /open-vm-tools-12.1.0-20219665.tar.gz /open-vm-tools-12.1.5-20735119.tar.gz /open-vm-tools-12.2.0-21223074.tar.gz +/open-vm-tools-12.2.5-21855600.tar.gz diff --git a/open-vm-tools.spec b/open-vm-tools.spec index c18dd91..c86d8dc 100644 --- a/open-vm-tools.spec +++ b/open-vm-tools.spec @@ -20,8 +20,8 @@ %global _hardened_build 1 %global majorversion 12.2 -%global minorversion 0 -%global toolsbuild 21223074 +%global minorversion 5 +%global toolsbuild 21855600 %global toolsversion %{majorversion}.%{minorversion} %global toolsdaemon vmtoolsd %global vgauthdaemon vgauthd @@ -32,7 +32,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -52,8 +52,6 @@ ExclusiveArch: %{ix86} x86_64 aarch64 %endif #Patch0: name.patch -# For bz#2215566 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-br-9] -Patch1: ovt-Remove-some-dead-code.patch BuildRequires: autoconf BuildRequires: automake @@ -411,6 +409,11 @@ fi %files test %{_bindir}/vmware-vgauth-smoketest %changelog +* Mon Jul 10 2023 Miroslav Rezanina - 12.2.5-1 +- Rebaer to open-vm-tools 12.2.5 +- Resolves: bz#2214862 + ([ESXi][RHEL9]open-vm-tools version 12.2.5 has been released - please rebase) + * Tue Jun 27 2023 Miroslav Rezanina - 12.2.0-3 - ovt-Remove-some-dead-code.patch [bz#2215566] - Resolves: bz#2215566 diff --git a/ovt-Remove-some-dead-code.patch b/ovt-Remove-some-dead-code.patch deleted file mode 100644 index fae4744..0000000 --- a/ovt-Remove-some-dead-code.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001 -From: John Wolfe -Date: Mon, 8 May 2023 19:04:57 -0700 -Subject: [PATCH] Remove some dead code. - -RH-Author: Ani Sinha -RH-MergeRequest: 4: Remove some dead code. -RH-Bugzilla: 2215566 -RH-Acked-by: Miroslav Rezanina -RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools) - -Address CVE-2023-20867. -Remove some authentication types which were deprecated long -ago and are no longer in use. These are dead code. - -Cherry-picked from -https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch - -Signed-off-by: Ani Sinha ---- - open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------ - 1 file changed, 102 deletions(-) - -diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c -index 9f376a72..85c5ba74 100644 ---- a/open-vm-tools/services/plugins/vix/vixTools.c -+++ b/open-vm-tools/services/plugins/vix/vixTools.c -@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; - #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" - #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" - --#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE -- - /* - * The switch that controls all APIs - */ -@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( - - void GuestAuthUnimpersonate(); - --static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, -- const char *typeName); -- - #if SUPPORT_VGAUTH - - VGAuthError TheVGAuthContext(VGAuthContext **ctx); -@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN - userToken); - break; - } -- case VIX_USER_CREDENTIAL_ROOT: -- { -- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && -- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, -- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { -- /* -- * Don't accept hashed shared secret if disabled. -- */ -- g_message("%s: Requested authentication type has been disabled.\n", -- __FUNCTION__); -- err = VIX_E_GUEST_AUTHTYPE_DISABLED; -- goto done; -- } -- } -- // fall through -- -- case VIX_USER_CREDENTIAL_CONSOLE_USER: -- err = VixToolsImpersonateUserImplEx(NULL, -- credentialType, -- NULL, -- loadUserProfile, -- userToken); -- break; - case VIX_USER_CREDENTIAL_NAME_PASSWORD: - case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: - case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: -@@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN - } - } - -- /* -- * If the VMX asks to be root, then we allow them. -- * The VMX will make sure that only it will pass this value in, -- * and only when the VM and host are configured to allow this. -- */ -- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) -- && (thisProcessRunsAsRoot)) { -- *userToken = PROCESS_CREATOR_USER_TOKEN; -- -- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); -- err = VIX_OK; -- goto quit; -- } -- -- /* -- * If the VMX asks to be root, then we allow them. -- * The VMX will make sure that only it will pass this value in, -- * and only when the VM and host are configured to allow this. -- * -- * XXX This has been deprecated XXX -- */ -- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) -- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { -- *userToken = PROCESS_CREATOR_USER_TOKEN; -- -- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); -- err = VIX_OK; -- goto quit; -- } -- - /* - * If the VMX asks us to run commands in the context of the current - * user, make sure that the user who requested the command is the -@@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN - } - - --/* -- *----------------------------------------------------------------------------- -- * -- * VixToolsCheckIfAuthenticationTypeEnabled -- -- * -- * Checks to see if a given authentication type has been -- * disabled via the tools configuration. -- * -- * Return value: -- * TRUE if enabled, FALSE otherwise. -- * -- * Side effects: -- * None -- * -- *----------------------------------------------------------------------------- -- */ -- --static Bool --VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN -- const char *typeName) // IN --{ -- char authnDisabledName[64]; // Authentication..disabled -- gboolean disabled; -- -- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), -- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", -- typeName); -- -- ASSERT(confDictRef != NULL); -- -- /* -- * XXX Skip doing the strcmp() to verify the auth type since we only -- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default -- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. -- */ -- disabled = VMTools_ConfigGetBoolean(confDictRef, -- VIX_TOOLS_CONFIG_API_GROUPNAME, -- authnDisabledName, -- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); -- -- return !disabled; --} -- -- - /* - *----------------------------------------------------------------------------- - * --- -2.39.3 - diff --git a/sources b/sources index a358198..f9368fe 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (open-vm-tools-12.2.0-21223074.tar.gz) = d663d8ea455264cad7d3eaac16c5d08672e8e10f7a9171be40fff69e208ae697bc0e8af498c978d8de470ed273351b42c54994b2c552fdc05b828c80f4826b84 +SHA512 (open-vm-tools-12.2.5-21855600.tar.gz) = 72db3b88f61624d26e8ff7e37e4fc52ecd0bec0b6f076d935870c03312321c5e0b406d05eae7012872734a50626ed760dff2cf872e26ec18ebf200aff5ed12ef