packages/open-vm-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!12 修复CVE-2023-20900 CVE-2023-20867

Browse Source 
From: @chenxi-mao 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan
This commit is contained in:
openeuler-ci-bot 2023-09-11 08:12:09 +00:00 committed by Gitee
commit 874f50f4e7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 197 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
2023-20867-Remove-some-dead-code.patch Normal file
View File

@ -0,0 +1,156 @@
From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001
From: John Wolfe <jwolfe@vmware.com>
Date: Mon, 8 May 2023 19:04:57 -0700
Subject: [PATCH] Remove some dead code.
Address CVE-2023-20867.
Remove some authentication types which were deprecated long
ago and are no longer in use. These are dead code.
---
open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
1 file changed, 102 deletions(-)
diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
index 9f376a7..85c5ba7 100644
--- a/open-vm-tools/services/plugins/vix/vixTools.c
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
#define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
#define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
-
/*
* The switch that controls all APIs
*/
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
void GuestAuthUnimpersonate();
-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
- const char *typeName);
-
#if SUPPORT_VGAUTH
VGAuthError TheVGAuthContext(VGAuthContext **ctx);
@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
userToken);
break;
}
- case VIX_USER_CREDENTIAL_ROOT:
- {
- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
- /*
- * Don't accept hashed shared secret if disabled.
- */
- g_message("%s: Requested authentication type has been disabled.\n",
- __FUNCTION__);
- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
- goto done;
- }
- }
- // fall through
-
- case VIX_USER_CREDENTIAL_CONSOLE_USER:
- err = VixToolsImpersonateUserImplEx(NULL,
- credentialType,
- NULL,
- loadUserProfile,
- userToken);
- break;
case VIX_USER_CREDENTIAL_NAME_PASSWORD:
case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
}
/*
- * If the VMX asks to be root, then we allow them.
- * The VMX will make sure that only it will pass this value in,
- * and only when the VM and host are configured to allow this.
- */
- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
- && (thisProcessRunsAsRoot)) {
- *userToken = PROCESS_CREATOR_USER_TOKEN;
-
- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
- err = VIX_OK;
- goto quit;
- }
-
- /*
- * If the VMX asks to be root, then we allow them.
- * The VMX will make sure that only it will pass this value in,
- * and only when the VM and host are configured to allow this.
- *
- * XXX This has been deprecated XXX
- */
- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
- *userToken = PROCESS_CREATOR_USER_TOKEN;
-
- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
- err = VIX_OK;
- goto quit;
- }
-
- /*
* If the VMX asks us to run commands in the context of the current
* user, make sure that the user who requested the command is the
* same as the current user.
@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
/*
*-----------------------------------------------------------------------------
*
- * VixToolsCheckIfAuthenticationTypeEnabled --
- *
- * Checks to see if a given authentication type has been
- * disabled via the tools configuration.
- *
- * Return value:
- * TRUE if enabled, FALSE otherwise.
- *
- * Side effects:
- * None
- *
- *-----------------------------------------------------------------------------
- */
-
-static Bool
-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
- const char *typeName) // IN
-{
- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
- gboolean disabled;
-
- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
- typeName);
-
- ASSERT(confDictRef != NULL);
-
- /*
- * XXX Skip doing the strcmp() to verify the auth type since we only
- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
- */
- disabled = VMTools_ConfigGetBoolean(confDictRef,
- VIX_TOOLS_CONFIG_API_GROUPNAME,
- authnDisabledName,
- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
-
- return !disabled;
-}
-
-
-/*
- *-----------------------------------------------------------------------------
- *
* VixTools_ProcessVixCommand --
*
*
--
2.6.2

34
CVE-2023-20900.patch Normal file
View File

@ -0,0 +1,34 @@
From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001
From: John Wolfe <jwolfe@vmware.com>
Date: Fri, 18 Aug 2023 11:23:53 -0700
Subject: [PATCH] Address CVE-2023-20900
VGAuth: Allow only X509 certs to verify the SAML token signature.
---
open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index f5541a9..0b2a945 100644
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc,
*/
bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
if (bRet == FALSE) {
- g_warning("failed to register ID\n");
+ g_warning("Failed to register ID\n");
+ goto done;
+ }
+
+ /* Use only X509 certs to validate the signature */
+ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
+ BAD_CAST xmlSecKeyDataX509Id) < 0) {
+ g_warning("Failed to limit allowed key data\n");
goto done;
}
--
2.6.2

10
open-vm-tools.spec
View File

@ -29,7 +29,7 @@
Name: open-vm-tools Name: open-vm-tools
Version: %{toolsversion} Version: %{toolsversion}
Release: 1%{?dist} Release: 2%{?dist}
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
License: GPLv2 License: GPLv2
URL: https://github.com/vmware/%{name} URL: https://github.com/vmware/%{name}
@ -45,7 +45,8 @@ Source5: vmtoolsd.pam
ExclusiveArch: x86_64 aarch64 ExclusiveArch: x86_64 aarch64
# Patches # Patches
#Patch1: <patch-name1>.patch Patch1: 2023-20867-Remove-some-dead-code.patch
Patch2: CVE-2023-20900.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -154,7 +155,7 @@ useful for verifying the functioning of %{name} in VMware virtual
machines. machines.
%prep %prep
%autosetup -p1 -n %{name}-%{version}-%{toolsbuild} %autosetup -p2 -n %{name}-%{version}-%{toolsbuild}
%build %build
autoreconf -vif autoreconf -vif
@ -387,6 +388,9 @@ fi
%{_bindir}/vmware-vgauth-smoketest %{_bindir}/vmware-vgauth-smoketest
%changelog %changelog
* Mon Sep 11 2023 Chenxi Mao <chenxi.mao@suse.com> - 12.1.5-2
- Fix CVE-2023-20867 and CVE-2023-20900
* Wed Jan 18 2023 Chenxi Mao <chenxi.mao@suse.com> - 12.1.5-1 * Wed Jan 18 2023 Chenxi Mao <chenxi.mao@suse.com> - 12.1.5-1
- Upgrade to 12.1.5 with CVE fix - Upgrade to 12.1.5 with CVE fix