* Mon Jul 10 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.5-1

- Rebaer to open-vm-tools 12.2.5
- Resolves: bz#2214862
  ([ESXi][RHEL9]open-vm-tools version 12.2.5 has been released - please rebase)
This commit is contained in:
Miroslav Rezanina 2023-07-10 06:41:47 -04:00
parent 3acf871171
commit 592b750d34
4 changed files with 10 additions and 173 deletions

1
.gitignore vendored
View File

@ -27,3 +27,4 @@
/open-vm-tools-12.1.0-20219665.tar.gz /open-vm-tools-12.1.0-20219665.tar.gz
/open-vm-tools-12.1.5-20735119.tar.gz /open-vm-tools-12.1.5-20735119.tar.gz
/open-vm-tools-12.2.0-21223074.tar.gz /open-vm-tools-12.2.0-21223074.tar.gz
/open-vm-tools-12.2.5-21855600.tar.gz

View File

@ -20,8 +20,8 @@
%global _hardened_build 1 %global _hardened_build 1
%global majorversion 12.2 %global majorversion 12.2
%global minorversion 0 %global minorversion 5
%global toolsbuild 21223074 %global toolsbuild 21855600
%global toolsversion %{majorversion}.%{minorversion} %global toolsversion %{majorversion}.%{minorversion}
%global toolsdaemon vmtoolsd %global toolsdaemon vmtoolsd
%global vgauthdaemon vgauthd %global vgauthdaemon vgauthd
@ -32,7 +32,7 @@
Name: open-vm-tools Name: open-vm-tools
Version: %{toolsversion} Version: %{toolsversion}
Release: 3%{?dist} Release: 1%{?dist}
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
License: GPLv2 License: GPLv2
URL: https://github.com/vmware/%{name} URL: https://github.com/vmware/%{name}
@ -52,8 +52,6 @@ ExclusiveArch: %{ix86} x86_64 aarch64
%endif %endif
#Patch0: name.patch #Patch0: name.patch
# For bz#2215566 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-br-9]
Patch1: ovt-Remove-some-dead-code.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -411,6 +409,11 @@ fi
%files test %files test
%{_bindir}/vmware-vgauth-smoketest %{_bindir}/vmware-vgauth-smoketest
%changelog %changelog
* Mon Jul 10 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.5-1
- Rebaer to open-vm-tools 12.2.5
- Resolves: bz#2214862
([ESXi][RHEL9]open-vm-tools version 12.2.5 has been released - please rebase)
* Tue Jun 27 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.0-3 * Tue Jun 27 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.0-3
- ovt-Remove-some-dead-code.patch [bz#2215566] - ovt-Remove-some-dead-code.patch [bz#2215566]
- Resolves: bz#2215566 - Resolves: bz#2215566

View File

@ -1,167 +0,0 @@
From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001
From: John Wolfe <jwolfe@vmware.com>
Date: Mon, 8 May 2023 19:04:57 -0700
Subject: [PATCH] Remove some dead code.
RH-Author: Ani Sinha <None>
RH-MergeRequest: 4: Remove some dead code.
RH-Bugzilla: 2215566
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools)
Address CVE-2023-20867.
Remove some authentication types which were deprecated long
ago and are no longer in use. These are dead code.
Cherry-picked from
https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
Signed-off-by: Ani Sinha <anisinha@redhat.com>
---
open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
1 file changed, 102 deletions(-)
diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
index 9f376a72..85c5ba74 100644
--- a/open-vm-tools/services/plugins/vix/vixTools.c
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
#define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
#define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
-
/*
* The switch that controls all APIs
*/
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
void GuestAuthUnimpersonate();
-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
- const char *typeName);
-
#if SUPPORT_VGAUTH
VGAuthError TheVGAuthContext(VGAuthContext **ctx);
@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
userToken);
break;
}
- case VIX_USER_CREDENTIAL_ROOT:
- {
- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
- /*
- * Don't accept hashed shared secret if disabled.
- */
- g_message("%s: Requested authentication type has been disabled.\n",
- __FUNCTION__);
- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
- goto done;
- }
- }
- // fall through
-
- case VIX_USER_CREDENTIAL_CONSOLE_USER:
- err = VixToolsImpersonateUserImplEx(NULL,
- credentialType,
- NULL,
- loadUserProfile,
- userToken);
- break;
case VIX_USER_CREDENTIAL_NAME_PASSWORD:
case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
@@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
}
}
- /*
- * If the VMX asks to be root, then we allow them.
- * The VMX will make sure that only it will pass this value in,
- * and only when the VM and host are configured to allow this.
- */
- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
- && (thisProcessRunsAsRoot)) {
- *userToken = PROCESS_CREATOR_USER_TOKEN;
-
- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
- err = VIX_OK;
- goto quit;
- }
-
- /*
- * If the VMX asks to be root, then we allow them.
- * The VMX will make sure that only it will pass this value in,
- * and only when the VM and host are configured to allow this.
- *
- * XXX This has been deprecated XXX
- */
- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
- *userToken = PROCESS_CREATOR_USER_TOKEN;
-
- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
- err = VIX_OK;
- goto quit;
- }
-
/*
* If the VMX asks us to run commands in the context of the current
* user, make sure that the user who requested the command is the
@@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
}
-/*
- *-----------------------------------------------------------------------------
- *
- * VixToolsCheckIfAuthenticationTypeEnabled --
- *
- * Checks to see if a given authentication type has been
- * disabled via the tools configuration.
- *
- * Return value:
- * TRUE if enabled, FALSE otherwise.
- *
- * Side effects:
- * None
- *
- *-----------------------------------------------------------------------------
- */
-
-static Bool
-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
- const char *typeName) // IN
-{
- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
- gboolean disabled;
-
- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
- typeName);
-
- ASSERT(confDictRef != NULL);
-
- /*
- * XXX Skip doing the strcmp() to verify the auth type since we only
- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
- */
- disabled = VMTools_ConfigGetBoolean(confDictRef,
- VIX_TOOLS_CONFIG_API_GROUPNAME,
- authnDisabledName,
- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
-
- return !disabled;
-}
-
-
/*
*-----------------------------------------------------------------------------
*
--
2.39.3

View File

@ -1 +1 @@
SHA512 (open-vm-tools-12.2.0-21223074.tar.gz) = d663d8ea455264cad7d3eaac16c5d08672e8e10f7a9171be40fff69e208ae697bc0e8af498c978d8de470ed273351b42c54994b2c552fdc05b828c80f4826b84 SHA512 (open-vm-tools-12.2.5-21855600.tar.gz) = 72db3b88f61624d26e8ff7e37e4fc52ecd0bec0b6f076d935870c03312321c5e0b406d05eae7012872734a50626ed760dff2cf872e26ec18ebf200aff5ed12ef