From 9f9ba5e4a8cbc56d484a0bc818d48a3226749d23 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <andrew.lukoshko@gmail.com>
Date: Wed, 12 Jul 2023 07:31:55 +0000
Subject: [PATCH] Add fix for CVE-2023-20867

---
 SOURCES/ovt-Remove-some-dead-code.patch | 169 ++++++++++++++++++++++++
 SPECS/open-vm-tools.spec                |   7 +-
 2 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/ovt-Remove-some-dead-code.patch

diff --git a/SOURCES/ovt-Remove-some-dead-code.patch b/SOURCES/ovt-Remove-some-dead-code.patch
new file mode 100644
index 0000000..f17480d
--- /dev/null
+++ b/SOURCES/ovt-Remove-some-dead-code.patch
@@ -0,0 +1,169 @@
+From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 19:04:57 -0700
+Subject: [PATCH] Remove some dead code.
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 4: Remove some dead code.
+RH-Bugzilla: 2215566
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools)
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+
+Cherry-picked from
+https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
+
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
+Reviewed-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
+index 9f376a72..85c5ba74 100644
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
+ #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
+ #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
+ 
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
+-
+ /*
+  * The switch that controls all APIs
+  */
+@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
+ 
+ void GuestAuthUnimpersonate();
+ 
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+-                                                     const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+ 
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg,   // IN
+                                           userToken);
+       break;
+    }
+-   case VIX_USER_CREDENTIAL_ROOT:
+-   {
+-      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+-          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+-                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+-          /*
+-           * Don't accept hashed shared secret if disabled.
+-           */
+-          g_message("%s: Requested authentication type has been disabled.\n",
+-                    __FUNCTION__);
+-          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+-          goto done;
+-      }
+-   }
+-   // fall through
+-
+-   case VIX_USER_CREDENTIAL_CONSOLE_USER:
+-      err = VixToolsImpersonateUserImplEx(NULL,
+-                                          credentialType,
+-                                          NULL,
+-                                          loadUserProfile,
+-                                          userToken);
+-      break;
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+    case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr,         // IN
+          }
+       }
+ 
+-      /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       */
+-      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+-            && (thisProcessRunsAsRoot)) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+-         err = VIX_OK;
+-         goto quit;
+-      }
+-
+-      /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       *
+-       * XXX This has been deprecated XXX
+-       */
+-      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+-            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+-         err = VIX_OK;
+-         goto quit;
+-      }
+-
+       /*
+        * If the VMX asks us to run commands in the context of the current
+        * user, make sure that the user who requested the command is the
+@@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode,                          // IN
+ }
+ 
+ 
+-/*
+- *-----------------------------------------------------------------------------
+- *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- *    Checks to see if a given authentication type has been
+- *    disabled via the tools configuration.
+- *
+- * Return value:
+- *    TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- *    None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
+-                                         const char *typeName)      // IN
+-{
+-   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+-   gboolean disabled;
+-
+-   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+-                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+-                typeName);
+-
+-   ASSERT(confDictRef != NULL);
+-
+-   /*
+-    * XXX Skip doing the strcmp() to verify the auth type since we only
+-    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+-    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+-    */
+-   disabled = VMTools_ConfigGetBoolean(confDictRef,
+-                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
+-                                       authnDisabledName,
+-                                       VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+-   return !disabled;
+-}
+-
+-
+ /*
+  *-----------------------------------------------------------------------------
+  *
+-- 
+2.39.3
+
diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec
index 2ffc612..e0b696f 100644
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@@ -32,7 +32,7 @@
 
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          1%{?dist}
+Release:          1%{?dist}.1.alma
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@@ -52,6 +52,8 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 %endif
 
 #Patch0: name.patch
+# [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module
+Patch1: ovt-Remove-some-dead-code.patch
 
 BuildRequires:    autoconf
 BuildRequires:    automake
@@ -409,6 +411,9 @@ fi
 %files test
 %{_bindir}/vmware-vgauth-smoketest
 %changelog
+* Wed Jul 12 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 12.1.5-1.el9_2.1.alma
+- [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module
+
 * Fri Dec 09 2022 Miroslav Rezanina <mrezanin@redhat.com> - 12.1.5-1
 - Rebase to open-vm-tools 12.1.5 [bz#2150190]
 - Resolves: bz#2150190