Version in base suite: 12.2.0-1 Base version: open-vm-tools_12.2.0-1 Target version: open-vm-tools_12.2.0-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/open-vm-tools/open-vm-tools_12.2.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/open-vm-tools/open-vm-tools_12.2.0-1+deb12u1.dsc .gitlab-ci.yml | 2 changelog | 16 ++ gbp.conf | 3 patches/2023-20867-Remove-some-dead-code.patch | 156 +++++++++++++++++++++++++ patches/CVE-2023-20900.patch | 34 +++++ patches/series | 2 6 files changed, 212 insertions(+), 1 deletion(-) diff -Nru open-vm-tools-12.2.0/debian/.gitlab-ci.yml open-vm-tools-12.2.0/debian/.gitlab-ci.yml --- open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2023-03-14 18:12:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2023-09-06 18:01:06.000000000 +0000 @@ -3,7 +3,7 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'bookworm' SALSA_CI_DISABLE_APTLY: 0 SALSA_CI_DISABLE_AUTOPKGTEST: 0 SALSA_CI_DISABLE_BLHC: 0 diff -Nru open-vm-tools-12.2.0/debian/changelog open-vm-tools-12.2.0/debian/changelog --- open-vm-tools-12.2.0/debian/changelog 2023-03-14 18:12:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/changelog 2023-09-06 18:01:06.000000000 +0000 @@ -1,3 +1,19 @@ +open-vm-tools (2:12.2.0-1+deb12u1) bookworm-security; urgency=medium + + * [3812674] Fixing CVE-2023-20867, CVE-2023-20900 + - Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867) + A fully compromised ESXi host can force VMware Tools to fail to + authenticate host-to-guest operations, impacting the confidentiality + and integrity of the guest virtual machine. + - SAML token signature bypass vulnerability (CVE-2023-20900) + A malicious actor with man-in-the-middle (MITM) network positioning + between vCenter server and the virtual machine may be able to bypass + SAML token signature verification, to perform VMware Tools Guest + Operations. (Closes: #1050970) + * [fb0ab84] Updating gitlab CI and GBP to build in bookworm + + -- Bernd Zeimetz Wed, 06 Sep 2023 20:01:06 +0200 + open-vm-tools (2:12.2.0-1) unstable; urgency=medium * [bebda7c] New upstream version 12.2.0 diff -Nru open-vm-tools-12.2.0/debian/gbp.conf open-vm-tools-12.2.0/debian/gbp.conf --- open-vm-tools-12.2.0/debian/gbp.conf 2023-03-14 18:12:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/gbp.conf 2023-09-06 18:01:06.000000000 +0000 @@ -1,3 +1,6 @@ [buildpackage] sign-tags = True posttag = git push && git push --tags + +[DEFAULT] +debian-branch = bookworm diff -Nru open-vm-tools-12.2.0/debian/patches/2023-20867-Remove-some-dead-code.patch open-vm-tools-12.2.0/debian/patches/2023-20867-Remove-some-dead-code.patch --- open-vm-tools-12.2.0/debian/patches/2023-20867-Remove-some-dead-code.patch 1970-01-01 00:00:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/patches/2023-20867-Remove-some-dead-code.patch 2023-09-06 18:01:06.000000000 +0000 @@ -0,0 +1,156 @@ +From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Mon, 8 May 2023 19:04:57 -0700 +Subject: [PATCH] Remove some dead code. + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 -------------------------- + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index 9f376a7..85c5ba7 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + + /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto quit; +- } +- +- /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the + * same as the current user. +@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + /* + *----------------------------------------------------------------------------- + * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication..disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VMTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- +-/* +- *----------------------------------------------------------------------------- +- * + * VixTools_ProcessVixCommand -- + * + * +-- +2.6.2 + diff -Nru open-vm-tools-12.2.0/debian/patches/CVE-2023-20900.patch open-vm-tools-12.2.0/debian/patches/CVE-2023-20900.patch --- open-vm-tools-12.2.0/debian/patches/CVE-2023-20900.patch 1970-01-01 00:00:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/patches/CVE-2023-20900.patch 2023-09-06 18:01:06.000000000 +0000 @@ -0,0 +1,34 @@ +From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Fri, 18 Aug 2023 11:23:53 -0700 +Subject: [PATCH] Address CVE-2023-20900 + +VGAuth: Allow only X509 certs to verify the SAML token signature. + +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index f5541a9..0b2a945 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.6.2 + diff -Nru open-vm-tools-12.2.0/debian/patches/series open-vm-tools-12.2.0/debian/patches/series --- open-vm-tools-12.2.0/debian/patches/series 2023-03-14 18:12:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/patches/series 2023-09-06 18:01:06.000000000 +0000 @@ -1,3 +1,5 @@ use-debian-pam debian/scsi-udev-rule debian/grpc_1.51 +2023-20867-Remove-some-dead-code.patch +CVE-2023-20900.patch