Add fix for CVE-2023-20867

2023-07-12 07:38:36 +00:00 · 2023-07-12 07:38:36 +00:00 · 7a51a30c62
commit 7a51a30c62
parent fd0e66a463
2 changed files with 175 additions and 1 deletions
--- a/SOURCES/ovt-Remove-some-dead-code.patch
+++ b/SOURCES/ovt-Remove-some-dead-code.patch
@ -0,0 +1,169 @@
 From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001
 From: John Wolfe <jwolfe@vmware.com>
 Date: Mon, 8 May 2023 19:04:57 -0700
 Subject: [PATCH] Remove some dead code.
 RH-Author: Ani Sinha <None>
 RH-MergeRequest: 4: Remove some dead code.
 RH-Bugzilla: 2215566
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
 RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools)
 Address CVE-2023-20867.
 Remove some authentication types which were deprecated long
 ago and are no longer in use. These are dead code.
 Cherry-picked from
 https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
 Signed-off-by: Ani Sinha <anisinha@redhat.com>
 Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
 Reviewed-by: Alex Burmashev <alexander.burmashev@oracle.com>
 ---
 open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
 1 file changed, 102 deletions(-)
 diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
 index 9f376a72..85c5ba74 100644
 --- a/open-vm-tools/services/plugins/vix/vixTools.c
 +++ b/open-vm-tools/services/plugins/vix/vixTools.c
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
 #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
 #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
 -#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
 -
 /*
  * The switch that controls all APIs
  */
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
 void GuestAuthUnimpersonate();
 -static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
 -                                                     const char *typeName);
 -
 #if SUPPORT_VGAUTH
 VGAuthError TheVGAuthContext(VGAuthContext **ctx);
@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg,   // IN
                                           userToken);
       break;
    }
 -   case VIX_USER_CREDENTIAL_ROOT:
 -   {
 -      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
 -          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
 -                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
 -          /*
 -           * Don't accept hashed shared secret if disabled.
 -           */
 -          g_message("%s: Requested authentication type has been disabled.\n",
 -                    __FUNCTION__);
 -          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
 -          goto done;
 -      }
 -   }
 -   // fall through
 -
 -   case VIX_USER_CREDENTIAL_CONSOLE_USER:
 -      err = VixToolsImpersonateUserImplEx(NULL,
 -                                          credentialType,
 -                                          NULL,
 -                                          loadUserProfile,
 -                                          userToken);
 -      break;
    case VIX_USER_CREDENTIAL_NAME_PASSWORD:
    case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
    case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
@@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr,         // IN
          }
       }
 -      /*
 -       * If the VMX asks to be root, then we allow them.
 -       * The VMX will make sure that only it will pass this value in,
 -       * and only when the VM and host are configured to allow this.
 -       */
 -      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
 -            && (thisProcessRunsAsRoot)) {
 -         *userToken = PROCESS_CREATOR_USER_TOKEN;
 -
 -         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
 -         err = VIX_OK;
 -         goto quit;
 -      }
 -
 -      /*
 -       * If the VMX asks to be root, then we allow them.
 -       * The VMX will make sure that only it will pass this value in,
 -       * and only when the VM and host are configured to allow this.
 -       *
 -       * XXX This has been deprecated XXX
 -       */
 -      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
 -            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
 -         *userToken = PROCESS_CREATOR_USER_TOKEN;
 -
 -         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
 -         err = VIX_OK;
 -         goto quit;
 -      }
 -
       /*
        * If the VMX asks us to run commands in the context of the current
        * user, make sure that the user who requested the command is the
@@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode,                          // IN
 }
 -/*
 - *-----------------------------------------------------------------------------
 - *
 - * VixToolsCheckIfAuthenticationTypeEnabled --
 - *
 - *    Checks to see if a given authentication type has been
 - *    disabled via the tools configuration.
 - *
 - * Return value:
 - *    TRUE if enabled, FALSE otherwise.
 - *
 - * Side effects:
 - *    None
 - *
 - *-----------------------------------------------------------------------------
 - */
 -
 -static Bool
 -VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
 -                                         const char *typeName)      // IN
 -{
 -   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
 -   gboolean disabled;
 -
 -   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
 -                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
 -                typeName);
 -
 -   ASSERT(confDictRef != NULL);
 -
 -   /*
 -    * XXX Skip doing the strcmp() to verify the auth type since we only
 -    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
 -    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
 -    */
 -   disabled = VMTools_ConfigGetBoolean(confDictRef,
 -                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
 -                                       authnDisabledName,
 -                                       VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
 -
 -   return !disabled;
 -}
 -
 -
 /*
  *-----------------------------------------------------------------------------
  *
 -- 
 2.39.3
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@ -32,7 +32,7 @@
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          1%{?dist}
+Release:          2%{?dist}.alma
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@ -52,6 +52,8 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 %endif
 #Patch0: name.patch
 # [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module
 Patch1: ovt-Remove-some-dead-code.patch
 BuildRequires:    autoconf
 BuildRequires:    automake
@ -410,6 +412,9 @@ fi
 %{_bindir}/vmware-vgauth-smoketest
 %changelog
 * Wed Jul 12 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 12.1.5-2.el8_8.alma
 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module
 * Fri Dec 09 2022 Miroslav Rezanina <mrezanin@redhat.com> 12.1.5-1
 - Rebase to open-vm-tools 12.1.5 [bz#2150188]
 - Resolves: bz#2150188