- File descriptor vulnerability in the open-vm-tools

vmware-user-suid-wrapperx on Linux - Don't accept tokens with unrelated certs
Merge branch 'c8' into a8
2023-11-16 12:39:11 +03:00 · 2023-11-16 11:14:33 +03:00 · 2023-09-21 13:26:43 +03:00 · 2023-09-21 13:25:45 +03:00 · 2023-07-12 07:38:36 +00:00
6 changed files with 838 additions and 2 deletions
--- a/SOURCES/Dont-accept-tokens-with-unrelated-certs.patch
+++ b/SOURCES/Dont-accept-tokens-with-unrelated-certs.patch
@ -0,0 +1,255 @@
+From 1bfe23d728b74e08f4f65cd9b0093ca73937003a Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Oct 2023 15:24:48 -0700
+Subject: [PATCH] Don't accept tokens with unrelated certs
+
+If a SAML token has a cert that's not a part of a chain,
+fail the token as invalid.
+---
+ open-vm-tools/vgauth/common/certverify.c      | 147 +++++++++++++++++-
+ open-vm-tools/vgauth/common/certverify.h      |   6 +-
+ open-vm-tools/vgauth/common/prefs.h           |   4 +-
+ .../vgauth/serviceImpl/saml-xmlsec1.c         |  14 ++
+ 4 files changed, 168 insertions(+), 3 deletions(-)
+
+diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c
+index 0ed78edb0..845f59b91 100644
+--- a/open-vm-tools/vgauth/common/certverify.c
+++ b/open-vm-tools/vgauth/common/certverify.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016, 2018-2019, 2021-2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -914,3 +914,148 @@ done:
+ 
+    return err;
+ }
+
+
+/*
+ * Finds a cert with a subject (if checkSubj is set) or issuer (if
+ * checkSUbj is unset), matching 'val' in the list
+ * of certs.  Returns a match or NULL.
+ */
+
+static X509 *
+FindCert(GList *cList,
+         X509_NAME *val,
+         int checkSubj)
+{
+   GList *l;
+   X509 *c;
+   X509_NAME *v;
+
+   l = cList;
+   while (l != NULL) {
+      c = (X509 *) l->data;
+      if (checkSubj) {
+         v = X509_get_subject_name(c);
+      } else {
+         v = X509_get_issuer_name(c);
+      }
+      if (X509_NAME_cmp(val, v) == 0) {
+         return c;
+      }
+      l = l->next;
+   }
+   return NULL;
+}
+
+
+/*
+ ******************************************************************************
+ * CertVerify_CheckForUnrelatedCerts --                                  */ /**
+ *
+ * Looks over a list of certs.  If it finds that they are not all
+ * part of the same chain, returns failure.
+ *
+ * @param[in]     numCerts      The number of certs in the chain.
+ * @param[in]     pemCerts      The chain of certificates to verify.
+ *
+ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
+ *
+ ******************************************************************************
+ */
+
+VGAuthError
+CertVerify_CheckForUnrelatedCerts(int numCerts,
+                                  const char **pemCerts)
+{
+   VGAuthError err = VGAUTH_E_FAIL;
+   int chainLen = 0;
+   int i;
+   X509 **certs = NULL;
+   GList *rawList = NULL;
+   X509 *baseCert;
+   X509 *curCert;
+   X509_NAME *subject;
+   X509_NAME *issuer;
+
+   /* common single cert case; nothing to do */
+   if (numCerts == 1) {
+      return VGAUTH_E_OK;
+   }
+
+   /* convert all PEM to X509 objects */
+   certs = g_malloc0(numCerts * sizeof(X509 *));
+   for (i = 0; i < numCerts; i++) {
+      certs[i] = CertStringToX509(pemCerts[i]);
+      if (NULL == certs[i]) {
+         g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
+         goto done;
+      }
+   }
+
+   /* choose the cert to start the chain.  shouldn't matter which */
+   baseCert = certs[0];
+
+   /* put the rest into a list */
+   for (i = 1; i < numCerts; i++) {
+      rawList = g_list_append(rawList, certs[i]);
+   }
+
+   /* now chase down to a leaf, looking for certs the baseCert issued */
+   subject = X509_get_subject_name(baseCert);
+   while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
+      /* pull it from the list */
+      rawList = g_list_remove(rawList, curCert);
+      /* set up the next find */
+      subject = X509_get_subject_name(curCert);
+   }
+
+   /*
+    * walk up to the root cert, by finding a cert where the
+    * issuer equals the subject of the current
+    */
+   issuer = X509_get_issuer_name(baseCert);
+   while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
+      /* pull it from the list */
+      rawList = g_list_remove(rawList, curCert);
+      /* set up the next find */
+      issuer = X509_get_issuer_name(curCert);
+   }
+
+   /*
+    * At this point, anything on the list should be certs that are not part
+    * of the chain that includes the original 'baseCert'.
+    *
+    * For a valid token, the list should be empty.
+    */
+   chainLen = g_list_length(rawList);
+   if (chainLen != 0 ) {
+      GList *l;
+
+      g_warning("%s: %d unrelated certs found in list\n",
+                __FUNCTION__, chainLen);
+
+      /* debug helper */
+      l = rawList;
+      while (l != NULL) {
+         X509* c = (X509 *) l->data;
+         char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
+
+         g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
+         free(s);
+         l = l->next;
+      }
+
+      goto done;
+   }
+
+   g_debug("%s: Success!  no unrelated certs found\n", __FUNCTION__);
+   err = VGAUTH_E_OK;
+
+done:
+   g_list_free(rawList);
+   for (i = 0; i < numCerts; i++) {
+      X509_free(certs[i]);
+   }
+   g_free(certs);
+   return err;
+}
+diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h
+index d7c6410b6..89ec97a10 100644
+--- a/open-vm-tools/vgauth/common/certverify.h
+++ b/open-vm-tools/vgauth/common/certverify.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016, 2020 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash,
+                                                size_t signatureLen,
+                                                const unsigned char *signature);
+ 
+
+VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
+                                              const char **pemCerts);
+
+ gchar * CertVerify_StripPEMCert(const gchar *pemCert);
+ 
+ gchar * CertVerify_CertToX509String(const gchar *pemCert);
+diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
+index ff116928c..6c58f3f4b 100644
+--- a/open-vm-tools/vgauth/common/prefs.h
+++ b/open-vm-tools/vgauth/common/prefs.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2019 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
+ #define VGAUTH_PREF_ALIASSTORE_DIR         "aliasStoreDir"
+ /** The number of seconds slack allowed in either direction in SAML token date checks. */
+ #define VGAUTH_PREF_CLOCK_SKEW_SECS        "clockSkewAdjustment"
+/** If unrelated certificates are allowed in a SAML token */
+#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS  "allowUnrelatedCerts"
+ 
+ /** Ticket group name. */
+ #define VGAUTH_PREF_GROUP_NAME_TICKET      "ticket"
+diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+index 14cba1b5b..57e931626 100644
+--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -49,6 +49,7 @@
+ #include "vmxlog.h"
+ 
+ static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
+static gboolean gAllowUnrelatedCerts = FALSE;
+ static xmlSchemaPtr gParsedSchemas = NULL;
+ static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
+ 
+@@ -369,6 +370,10 @@ LoadPrefs(void)
+                                       VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
+     Log("%s: Allowing %d of clock skew for SAML date validation\n",
+         __FUNCTION__, gClockSkewAdjustment);
+    gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
+                                        VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
+                                        VGAUTH_PREF_GROUP_NAME_SERVICE,
+                                        FALSE);
+ }
+ 
+ 
+@@ -1589,6 +1594,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText,
+       return VGAUTH_E_AUTHENTICATION_DENIED;
+    }
+ 
+   if (!gAllowUnrelatedCerts) {
+      err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
+      if (err != VGAUTH_E_OK) {
+         VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                    "Unrelated certs found in SAML token, failing\n");
+         return VGAUTH_E_AUTHENTICATION_DENIED;
+      }
+   }
+
+    subj.type = SUBJECT_TYPE_NAMED;
+    subj.name = *subjNameOut;
+    err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
--- a/SOURCES/File-descriptor-vulnerability-in-the-open-vm-tools.patch
+++ b/SOURCES/File-descriptor-vulnerability-in-the-open-vm-tools.patch
@ -0,0 +1,196 @@
+From 63f7c79c4aecb14d37cc4ce9da509419e31d394f Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Oct 2023 15:24:48 -0700
+Subject: [PATCH] File descriptor vulnerability in the open-vm-tools
+ vmware-user-suid-wrapperx on Linux
+
+Moving the privilege drop logic (dropping privilege to the real uid and
+gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
+Now the vmtoolsd is not executed with dropped privileges (started as setuid
+program) and the dumpable attribute of the process is not reset.
+The unprivileged user will not have access to the privileged file descriptors
+in the vmtoolsd vmusr process.
+Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing
+the file descriptors being inherited any further from the vmtoolsd.
+---
+ open-vm-tools/services/vmtoolsd/mainPosix.c   | 78 ++++++++++++++++++-
+ open-vm-tools/vmware-user-suid-wrapper/main.c | 28 +------
+ 2 files changed, 81 insertions(+), 25 deletions(-)
+
+diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
+index fd2667cd5..6c52156bc 100644
+--- a/open-vm-tools/services/vmtoolsd/mainPosix.c
+++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2008-2020,2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -28,10 +28,12 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
+#include <fcntl.h>
+ #include <glib/gstdio.h>
+ #include "file.h"
+ #include "guestApp.h"
+ #include "hostinfo.h"
+#include "su.h"
+ #include "system.h"
+ #include "unicode.h"
+ #include "util.h"
+@@ -154,6 +156,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
+ }
+ 
+ 
+/**
+ * Tools function to set close-on-exec flg for the fd.
+ *
+ * @param[in] fd   open file descriptor.
+ *
+ * @return TRUE on success, FALSE otherwise.
+ */
+
+static gboolean
+ToolsSetCloexecFlag(int fd)
+{
+   int flags;
+
+   if (fd == -1) {
+      /* fd is not present, no need to manipulate */
+      return TRUE;
+   }
+
+   flags = fcntl(fd, F_GETFD, 0);
+   if (flags < 0) {
+      g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
+      return FALSE;
+   }
+   flags |= FD_CLOEXEC;
+   if (fcntl(fd, F_SETFD, flags) < 0) {
+      g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
+      return FALSE;
+   }
+
+   return TRUE;
+}
+
+
+/**
+ * Tools function to close the fds.
+ */
+
+static void
+ToolsCloseFds(void)
+{
+   if (gState.ctx.blockFD != -1) {
+      close(gState.ctx.blockFD);
+   }
+
+   /*
+    * uinputFD will be available only for wayland.
+    */
+   if (gState.ctx.uinputFD != -1) {
+      close(gState.ctx.uinputFD);
+   }
+}
+
+
+ /**
+  * Tools daemon entry function.
+  *
+@@ -210,6 +265,27 @@ main(int argc,
+    g_free(argvCopy);
+    argvCopy = NULL;
+ 
+   /*
+    * Drops privilege to the real uid and gid of the process
+    * for the "vmusr" service.
+    */
+   if (TOOLS_IS_USER_SERVICE(&gState)) {
+      uid_t uid = getuid();
+      gid_t gid = getgid();
+
+      if ((Id_SetREUid(uid, uid) != 0) ||
+          (Id_SetREGid(gid, gid) != 0)) {
+         g_printerr("could not drop privileges: %s", strerror(errno));
+         ToolsCloseFds();
+         goto exit;
+      }
+      if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
+          !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
+         ToolsCloseFds();
+         goto exit;
+      }
+   }
+
+    if (gState.pidFile != NULL) {
+       /*
+        * If argv[0] is not an absolute path, make it so; all other path
+diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
+index e9d7e5084..73ae9b9bb 100644
+--- a/open-vm-tools/vmware-user-suid-wrapper/main.c
+++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2007-2018 VMware, Inc. All rights reserved.
+ * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -156,8 +156,7 @@ MaskSignals(void)
+  *
+  *    Obtains the library directory from the Tools locations database, then
+  *    opens a file descriptor (while still root) to add and remove blocks,
+- *    drops privilege to the real uid of this process, and finally starts
+- *    vmware-user.
+ *    and finally starts vmware-user.
+  *
+  * Results:
+  *    Parent: TRUE on success, FALSE on failure.
+@@ -173,8 +172,6 @@ static Bool
+ StartVMwareUser(char *const envp[])
+ {
+    pid_t pid;
+-   uid_t uid;
+-   gid_t gid;
+    int blockFd = -1;
+    char blockFdStr[8];
+    int uinputFd = -1;
+@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
+    }
+ 
+    /*
+-    * Now create a child process, obtain a file descriptor as root, downgrade
+-    * privilege, and run vmware-user.
+    * Now create a child process, obtain a file descriptor as root and
+    * run vmware-user.
+     */
+    pid = fork();
+    if (pid == -1) {
+@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
+       }
+    }
+ 
+-   uid = getuid();
+-   gid = getgid();
+-
+-   if ((setreuid(uid, uid) != 0) ||
+-       (setregid(gid, gid) != 0)) {
+-      Error("could not drop privileges: %s\n", strerror(errno));
+-      if (blockFd != -1) {
+-         close(blockFd);
+-      }
+-      if (useWayland) {
+-         if (uinputFd != -1) {
+-            close(uinputFd);
+-         }
+-      }
+-      return FALSE;
+-   }
+-
+    /*
+     * Since vmware-user provides features that don't depend on vmblock, we
+     * invoke vmware-user even if we couldn't obtain a file descriptor or we
--- a/SOURCES/Track-Linux-filesystem-id-FSID-for-quiesced-frozen-filesystems.patch
+++ b/SOURCES/Track-Linux-filesystem-id-FSID-for-quiesced-frozen-filesystems.patch
@ -0,0 +1,206 @@
+From 9d458c53a7a656d4d1ba3a28d090cce82ac4af0e Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Jan 2023 19:08:33 -0800
+Subject: [PATCH] Track Linux filesystem id (FSID) for quiesced (frozen)
+ filesystems
+
+Tracking the filesystem FSID along with each file descriptor (FD)
+as the ioctl FIFREEZE is done.  An EBUSY could be seen because of
+an attempt to freeze the same superblock more than once depending
+on the OS configuration (e.g. usage of bind mounts).  An EBUSY could
+also mean another process has locked or frozen that filesystem.
+
+When an EBUSY is received, the filesyste FSID is checked against the
+list of filesystems that have already be quiesced.  If not previously
+seen, a warning that the filesystem is controlled by another process
+is logged and the quiesced snapshot request will be rejected.
+---
+ .../lib/syncDriver/syncDriverLinux.c          | 112 +++++++++++++++---
+ 1 file changed, 96 insertions(+), 16 deletions(-)
+
+diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+index eef65a2eb..6d9a35687 100644
+--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2018 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2018, 2023 VMware, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -32,6 +32,7 @@
+ #include <sys/ioctl.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+#include <sys/statfs.h>
+ #include "debug.h"
+ #include "dynbuf.h"
+ #include "syncDriverInt.h"
+@@ -43,12 +44,53 @@
+ #endif
+ 
+ 
+
+typedef struct LinuxFsInfo {
+   int fd;
+   fsid_t fsid;
+} LinuxFsInfo;
+
+ typedef struct LinuxDriver {
+    SyncHandle  driver;
+    size_t      fdCnt;
+-   int        *fds;
+   LinuxFsInfo *fds;
+ } LinuxDriver;
+ 
+static
+const fsid_t MISSING_FSID = {};
+
+
+/*
+ *******************************************************************************
+ * LinuxFiFsIdMatch --
+ *
+ * Check the collection of filesystems previously frozen for the specific
+ * FSID.
+ *
+ * @param[in] fds    List of LinuxFsInfo data for filesystems previously
+ *                   frozen.
+ * @param[in] count  Number of fds in the list.
+ * @param[in] nfsid  The Filesystem ID of interest.
+ *
+ * @return TRUE if the FSID matches one previously processed.  Otherwise FALSE
+ *
+ *******************************************************************************
+ */
+
+static Bool
+LinuxFiFsIdMatch(const LinuxFsInfo *fds,
+                 const size_t count,
+                 const fsid_t *nfsid) {
+   size_t i;
+
+   for (i = 0; i < count; i++) {
+      if (fds[i].fsid.__val[0] == nfsid->__val[0] &&
+          fds[i].fsid.__val[1] == nfsid->__val[1]) {
+         return TRUE;
+      }
+   }
+   return FALSE;
+}
+ 
+ /*
+  *******************************************************************************
+@@ -75,9 +117,11 @@ LinuxFiThaw(const SyncDriverHandle handle)
+     * Thaw in the reverse order of freeze
+     */
+    for (i = sync->fdCnt; i > 0; i--) {
+-      Debug(LGPFX "Thawing fd=%d.\n", sync->fds[i-1]);
+-      if (ioctl(sync->fds[i-1], FITHAW) == -1) {
+-         Debug(LGPFX "Thaw failed for fd=%d.\n", sync->fds[i-1]);
+      int fd = sync->fds[i-1].fd;
+
+      Debug(LGPFX "Thawing fd=%d.\n", fd);
+      if (ioctl(fd, FITHAW) == -1) {
+         Debug(LGPFX "Thaw failed for fd=%d.\n", fd);
+          err = SD_ERROR;
+       }
+    }
+@@ -108,8 +152,10 @@ LinuxFiClose(SyncDriverHandle handle)
+     * Close in the reverse order of open
+     */
+    for (i = sync->fdCnt; i > 0; i--) {
+-      Debug(LGPFX "Closing fd=%d.\n", sync->fds[i-1]);
+-      close(sync->fds[i-1]);
+      int fd = sync->fds[i-1].fd;
+
+      Debug(LGPFX "Closing fd=%d.\n", fd);
+      close(fd);
+    }
+    free(sync->fds);
+    free(sync);
+@@ -196,8 +242,11 @@ LinuxDriver_Freeze(const GSList *paths,
+     */
+    while (paths != NULL) {
+       int fd;
+      LinuxFsInfo fsInfo;
+       struct stat sbuf;
+      struct statfs fsbuf;
+       const char *path = paths->data;
+
+       Debug(LGPFX "opening path '%s'.\n", path);
+       paths = g_slist_next(paths);
+       fd = open(path, O_RDONLY);
+@@ -258,23 +307,53 @@ LinuxDriver_Freeze(const GSList *paths,
+          continue;
+       }
+ 
+      if (fstatfs(fd, &fsbuf) == 0) {
+         fsInfo.fsid = fsbuf.f_fsid;
+      } else {
+         Debug(LGPFX "failed to get file system id for path '%s'.\n", path);
+         fsInfo.fsid = MISSING_FSID;
+      }
+       Debug(LGPFX "freezing path '%s' (fd=%d).\n", path, fd);
+       if (ioctl(fd, FIFREEZE) == -1) {
+          int ioctlerr = errno;
+
+         close(fd);
+         Debug(LGPFX "freeze on '%s' returned: %d (%s)\n",
+               path, ioctlerr, strerror(ioctlerr));
+         /*
+          * Previously, an EBUSY error was ignored, assuming that we may try
+          * to freeze the same superblock more than once depending on the
+          * OS configuration (e.g., usage of bind mounts).
+          * Using the filesystem Id to check if this is a filesystem that we
+          * have seen previously and will ignore this FD only if that is
+          * the case.  Log a warning otherwise since the quiesced snapshot
+          * attempt will fail.
+          */
+         if (ioctlerr == EBUSY) {
+            if (LinuxFiFsIdMatch(DynBuf_Get(&fds),
+                                 DynBuf_GetSize(&fds),
+                                 &fsInfo.fsid)) {
+               /*
+                * We have previous knowledge of this file system by another
+                * mount point.  Safe to ignore.
+                */
+               Debug(LGPFX "skipping path '%s' - previously frozen", path);
+               continue;
+            }
+            /*
+             * It appears that this FS has been locked or frozen by another
+             * process.  We cannot proceed with the quiesced snapshot request.
+             */
+            Warning(LGPFX "'%s' appears locked or frozen by another process.  "
+                    "Cannot complete the quiesced snapshot request.\n", path);
+         }
+          /*
+           * If the ioctl does not exist, Linux will return ENOTTY. If it's not
+           * supported on the device, we get EOPNOTSUPP. Ignore the latter,
+           * since freezing does not make sense for all fs types, and some
+           * Linux fs drivers may not have been hooked up in the running kernel.
+-          *
+-          * Also ignore EBUSY since we may try to freeze the same superblock
+-          * more than once depending on the OS configuration (e.g., usage of
+-          * bind mounts).
+           */
+-         close(fd);
+-         Debug(LGPFX "freeze on '%s' returned: %d (%s)\n",
+-               path, ioctlerr, strerror(ioctlerr));
+-         if (ioctlerr != EBUSY && ioctlerr != EOPNOTSUPP) {
+         if (ioctlerr != EOPNOTSUPP) {
+             Debug(LGPFX "failed to freeze '%s': %d (%s)\n",
+                   path, ioctlerr, strerror(ioctlerr));
+             err = first && ioctlerr == ENOTTY ? SD_UNAVAILABLE : SD_ERROR;
+@@ -282,7 +361,8 @@ LinuxDriver_Freeze(const GSList *paths,
+          }
+       } else {
+          Debug(LGPFX "successfully froze '%s' (fd=%d).\n", path, fd);
+-         if (!DynBuf_Append(&fds, &fd, sizeof fd)) {
+         fsInfo.fd = fd;
+         if (!DynBuf_Append(&fds, &fsInfo, sizeof fsInfo)) {
+             if (ioctl(fd, FITHAW) == -1) {
+                Warning(LGPFX "failed to thaw '%s': %d (%s)\n",
+                        path, errno, strerror(errno));
--- a/SOURCES/ovt-Remove-some-dead-code.patch
+++ b/SOURCES/ovt-Remove-some-dead-code.patch
@ -0,0 +1,169 @@
+From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 19:04:57 -0700
+Subject: [PATCH] Remove some dead code.
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 4: Remove some dead code.
+RH-Bugzilla: 2215566
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools)
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+
+Cherry-picked from
+https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
+
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
+Reviewed-by: Alex Burmashev <alexander.burmashev@oracle.com>
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
+index 9f376a72..85c5ba74 100644
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
+ #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
+ #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
+ 
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
+-
+ /*
+  * The switch that controls all APIs
+  */
+@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
+ 
+ void GuestAuthUnimpersonate();
+ 
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+-                                                     const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+ 
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg,   // IN
+                                           userToken);
+       break;
+    }
+-   case VIX_USER_CREDENTIAL_ROOT:
+-   {
+-      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+-          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+-                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+-          /*
+-           * Don't accept hashed shared secret if disabled.
+-           */
+-          g_message("%s: Requested authentication type has been disabled.\n",
+-                    __FUNCTION__);
+-          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+-          goto done;
+-      }
+-   }
+-   // fall through
+-
+-   case VIX_USER_CREDENTIAL_CONSOLE_USER:
+-      err = VixToolsImpersonateUserImplEx(NULL,
+-                                          credentialType,
+-                                          NULL,
+-                                          loadUserProfile,
+-                                          userToken);
+-      break;
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+    case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr,         // IN
+          }
+       }
+ 
+-      /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       */
+-      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+-            && (thisProcessRunsAsRoot)) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+-         err = VIX_OK;
+-         goto quit;
+-      }
+-
+-      /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       *
+-       * XXX This has been deprecated XXX
+-       */
+-      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+-            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+-         err = VIX_OK;
+-         goto quit;
+-      }
+-
+       /*
+        * If the VMX asks us to run commands in the context of the current
+        * user, make sure that the user who requested the command is the
+@@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode,                          // IN
+ }
+ 
+ 
+-/*
+- *-----------------------------------------------------------------------------
+- *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- *    Checks to see if a given authentication type has been
+- *    disabled via the tools configuration.
+- *
+- * Return value:
+- *    TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- *    None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
+-                                         const char *typeName)      // IN
+-{
+-   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+-   gboolean disabled;
+-
+-   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+-                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+-                typeName);
+-
+-   ASSERT(confDictRef != NULL);
+-
+-   /*
+-    * XXX Skip doing the strcmp() to verify the auth type since we only
+-    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+-    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+-    */
+-   disabled = VMTools_ConfigGetBoolean(confDictRef,
+-                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
+-                                       authnDisabledName,
+-                                       VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+-   return !disabled;
+-}
+-
+-
+ /*
+  *-----------------------------------------------------------------------------
+  *
+-- 
+2.39.3
+
--- a/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
+++ b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
@ -35,4 +35,3 @@ index f5541a9a..0b2a945b 100644
 
 -- 
 2.39.3
-
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@ -32,7 +32,7 @@

 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          3%{?dist}
+Release:          3%{?dist}.1.alma.1
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@ -57,6 +57,12 @@ Patch1: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
 # For RHEL-7012 - [RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups
 Patch2: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch

+# Patches were taken from:
+# https://github.com/vmware/open-vm-tools/commit/1bfe23d728b74e08f4f65cd9b0093ca73937003a
+Patch3: Dont-accept-tokens-with-unrelated-certs.patch
+# https://github.com/vmware/open-vm-tools/commit/63f7c79c4aecb14d37cc4ce9da509419e31d394f
+Patch4: File-descriptor-vulnerability-in-the-open-vm-tools.patch
+
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    libtool
@ -414,6 +420,11 @@ fi
 %{_bindir}/vmware-vgauth-smoketest

 %changelog
+* Thu Nov 16 2023 Eduard Abdullin <eabdullin@almalinux.org> - 12.2.5-3.1.alma.1
+- File descriptor vulnerability in the open-vm-tools
+ vmware-user-suid-wrapperx on Linux
+- Don't accept tokens with unrelated certs
+
 * Wed Sep 27 2023 Jon Maloy <jmaloy@redhat.com> - 12.2.5-3
 - ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [RHEL-7012]
 - Resolves: RHEL-7012
Author	SHA1	Message	Date
eabdullin	3a1b8841f0	- File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx on Linux - Don't accept tokens with unrelated certs	2023-11-16 12:39:11 +03:00
eabdullin	808725f60d	Merge branch 'c8' into a8	2023-11-16 11:14:33 +03:00
eabdullin	80346230b2	- Allow only X509 certs to verify the SAML token signature.	2023-09-21 13:26:43 +03:00
eabdullin	574359d30a	- Track Linux filesystem id (FSID) for quiesced (frozen) filesystems	2023-09-21 13:25:45 +03:00
Andrew Lukoshko	7a51a30c62	Add fix for CVE-2023-20867	2023-07-12 07:38:36 +00:00