From f1eb4299aaec32c4a5339e8a2014b8bbcfea013d Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 21 Sep 2023 12:05:14 +0300 Subject: [PATCH] - Allow only X509 certs to verify the SAML token signature. --- ...y-X509-certs-to-verify-the-SAML-toke.patch | 37 +++++++++++++++++++ SPECS/open-vm-tools.spec | 8 +++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch diff --git a/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch new file mode 100644 index 0000000..3a06b7f --- /dev/null +++ b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch @@ -0,0 +1,37 @@ +From 2dc6f33e455c7d0dceb2d444632b35806613c510 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 7 Sep 2023 02:27:50 -0400 +Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token + signature. + +RH-Author: Miroslav Rezanina +RH-Bugzilla: 2236544 +RH-CVE: CVE-2023-20900 + +Signed-off-by: Miroslav Rezanina +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index f5541a9a..0b2a945b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.39.3 diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index 8b95b10..d5058c9 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -32,7 +32,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 1%{?dist}.2.alma.1 +Release: 1%{?dist}.3.alma.1 Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -54,8 +54,11 @@ ExclusiveArch: %{ix86} x86_64 aarch64 #Patch0: name.patch # [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module Patch1: ovt-Remove-some-dead-code.patch +# Patches were taken from: # https://github.com/vmware/open-vm-tools/commit/9d458c53a7a656d4d1ba3a28d090cce82ac4af0e.patch Patch2: Track-Linux-filesystem-id-FSID-for-quiesced-frozen-filesystems.patch +# https://gitlab.com/redhat/centos-stream/rpms/open-vm-tools/-/raw/fd4d578cf736199d35bd8531b9a53d2fcabc22ae/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch +Patch3: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch BuildRequires: autoconf BuildRequires: automake @@ -414,6 +417,9 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Thu Sep 21 2023 Eduard Abdullin - 12.1.5-1.el9_2.3.alma.1 +- Allow only X509 certs to verify the SAML token signature. + * Tue Sep 12 2023 Eduard Abdullin - 12.1.5-1.el9_2.2.alma.1 - Track Linux filesystem id (FSID) for quiesced (frozen) filesystems