From 527a0230d30da6d42cc6d524c606cffc5f2e0129 Mon Sep 17 00:00:00 2001 From: Chenxi Mao Date: Mon, 11 Sep 2023 17:33:52 +0800 Subject: [PATCH] Fix CVE-2023-20867 and CVE-2023-20900 Signed-off-by: Chenxi Mao --- 2023-20867-Remove-some-dead-code.patch | 156 +++++++++++++++++++++++++ CVE-2023-20900.patch | 34 ++++++ open-vm-tools.spec | 10 +- 3 files changed, 197 insertions(+), 3 deletions(-) create mode 100644 2023-20867-Remove-some-dead-code.patch create mode 100644 CVE-2023-20900.patch diff --git a/2023-20867-Remove-some-dead-code.patch b/2023-20867-Remove-some-dead-code.patch new file mode 100644 index 0000000..859a956 --- /dev/null +++ b/2023-20867-Remove-some-dead-code.patch @@ -0,0 +1,156 @@ +From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Mon, 8 May 2023 19:04:57 -0700 +Subject: [PATCH] Remove some dead code. + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 -------------------------- + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index 9f376a7..85c5ba7 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + + /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the + * same as the current user. +@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + /* + *----------------------------------------------------------------------------- + * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication..disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VMTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- +-/* +- *----------------------------------------------------------------------------- +- * + * VixTools_ProcessVixCommand -- + * + * +-- +2.6.2 + diff --git a/CVE-2023-20900.patch b/CVE-2023-20900.patch new file mode 100644 index 0000000..1e08e37 --- /dev/null +++ b/CVE-2023-20900.patch @@ -0,0 +1,34 @@ +From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Fri, 18 Aug 2023 11:23:53 -0700 +Subject: [PATCH] Address CVE-2023-20900 + +VGAuth: Allow only X509 certs to verify the SAML token signature. + +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index f5541a9..0b2a945 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.6.2 + diff --git a/open-vm-tools.spec b/open-vm-tools.spec index d7f2973..f13015a 100644 --- a/open-vm-tools.spec +++ b/open-vm-tools.spec @@ -29,7 +29,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 2%{?dist} +Release: 3%{?dist} Summary: Open Virtual Machine Tools for virtual machines hosted on VMware License: GPLv2 URL: https://github.com/vmware/%{name} @@ -45,7 +45,8 @@ Source5: vmtoolsd.pam ExclusiveArch: x86_64 aarch64 # Patches -#Patch1: .patch +Patch1: 2023-20867-Remove-some-dead-code.patch +Patch2: CVE-2023-20900.patch BuildRequires: autoconf BuildRequires: automake @@ -154,7 +155,7 @@ useful for verifying the functioning of %{name} in VMware virtual machines. %prep -%autosetup -p1 -n %{name}-%{version}-%{toolsbuild} +%autosetup -p2 -n %{name}-%{version}-%{toolsbuild} %build autoreconf -vif @@ -387,6 +388,9 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Mon Sep 11 2023 Chenxi Mao - 12.0.5-3 +- Fix CVE-2023-20867 and CVE-2023-20900 + * Fri Jun 24 2022 Chenxi Mao - 12.0.5-2 - Fix build break in _service mode -- Gitee