Version in base suite: 11.2.5-2+deb11u1

Base version: open-vm-tools_11.2.5-2+deb11u1
Target version: open-vm-tools_11.2.5-2+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/open-vm-tools/open-vm-tools_11.2.5-2+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/open-vm-tools/open-vm-tools_11.2.5-2+deb11u2.dsc

 changelog                                                |   15 +
 patches/2023-20867-Remove-some-dead-code-1110-1125.patch |  153 +++++++++++++++
 patches/CVE-2023-20900.patch                             |   31 +++
 patches/series                                           |    2 
 4 files changed, 201 insertions(+)

diff -Nru open-vm-tools-11.2.5/debian/changelog open-vm-tools-11.2.5/debian/changelog
--- open-vm-tools-11.2.5/debian/changelog	2022-08-24 08:28:40.000000000 +0000
+++ open-vm-tools-11.2.5/debian/changelog	2023-09-06 18:17:28.000000000 +0000
@@ -1,3 +1,18 @@
+open-vm-tools (2:11.2.5-2+deb11u2) bullseye-security; urgency=high
+
+  * [29e736e] Fixing CVE-2023-20867, CVE-2023-20900
+    - Authentication Bypass vulnerability in VMware Tools (CVE-2023-20867)
+      A fully compromised ESXi host can force VMware Tools to fail to
+      authenticate host-to-guest operations, impacting the confidentiality
+      and integrity of the guest virtual machine.
+    - SAML token signature bypass vulnerability (CVE-2023-20900)
+      A malicious actor with man-in-the-middle (MITM) network positioning
+      between vCenter server and the virtual machine may be able to bypass
+      SAML token signature verification, to perform VMware Tools Guest
+      Operations. (Closes: #1050970)
+
+ -- Bernd Zeimetz <bzed@debian.org>  Wed, 06 Sep 2023 20:17:28 +0200
+
 open-vm-tools (2:11.2.5-2+deb11u1) bullseye-security; urgency=high
 
   * [67b16ff] Properly check authorization on incoming guestOps requests.
diff -Nru open-vm-tools-11.2.5/debian/patches/2023-20867-Remove-some-dead-code-1110-1125.patch open-vm-tools-11.2.5/debian/patches/2023-20867-Remove-some-dead-code-1110-1125.patch
--- open-vm-tools-11.2.5/debian/patches/2023-20867-Remove-some-dead-code-1110-1125.patch	1970-01-01 00:00:00.000000000 +0000
+++ open-vm-tools-11.2.5/debian/patches/2023-20867-Remove-some-dead-code-1110-1125.patch	2023-09-06 18:17:28.000000000 +0000
@@ -0,0 +1,153 @@
+From 2de244273d9ba7ac8f56a4ee3a54b391990f6c78 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 19:20:58 -0700
+Subject: [PATCH] Remove some dead code.
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
+ 1 file changed, 102 deletions(-)
+
+Index: pkg-open-vm-tools/open-vm-tools/services/plugins/vix/vixTools.c
+===================================================================
+--- pkg-open-vm-tools.orig/open-vm-tools/services/plugins/vix/vixTools.c
++++ pkg-open-vm-tools/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
+ #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
+ #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
+ 
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
+-
+ /*
+  * The switch that controls all APIs
+  */
+@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImp
+ 
+ void GuestAuthUnimpersonate();
+ 
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+-                                                     const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+ 
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -7912,29 +7907,6 @@ VixToolsImpersonateUser(VixCommandReques
+                                           userToken);
+       break;
+    }
+-   case VIX_USER_CREDENTIAL_ROOT:
+-   {
+-      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+-          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+-                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+-          /*
+-           * Don't accept hashed shared secret if disabled.
+-           */
+-          g_message("%s: Requested authentication type has been disabled.\n",
+-                    __FUNCTION__);
+-          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+-          goto done;
+-      }
+-   }
+-   // fall through
+-
+-   case VIX_USER_CREDENTIAL_CONSOLE_USER:
+-      err = VixToolsImpersonateUserImplEx(NULL,
+-                                          credentialType,
+-                                          NULL,
+-                                          loadUserProfile,
+-                                          userToken);
+-      break;
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+    case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+    case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8104,36 +8076,6 @@ VixToolsImpersonateUserImplEx(char const
+       }
+ 
+       /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       */
+-      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+-            && (thisProcessRunsAsRoot)) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+-         err = VIX_OK;
+-         goto abort;
+-      }
+-
+-      /*
+-       * If the VMX asks to be root, then we allow them.
+-       * The VMX will make sure that only it will pass this value in,
+-       * and only when the VM and host are configured to allow this.
+-       *
+-       * XXX This has been deprecated XXX
+-       */
+-      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+-            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+-         *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+-         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+-         err = VIX_OK;
+-         goto abort;
+-      }
+-
+-      /*
+        * If the VMX asks us to run commands in the context of the current
+        * user, make sure that the user who requested the command is the
+        * same as the current user.
+@@ -10813,50 +10755,6 @@ VixToolsCheckIfVixCommandEnabled(int opc
+ }
+ 
+ 
+-/*
+- *-----------------------------------------------------------------------------
+- *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- *    Checks to see if a given authentication type has been
+- *    disabled via the tools configuration.
+- *
+- * Return value:
+- *    TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- *    None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
+-                                         const char *typeName)      // IN
+-{
+-   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+-   gboolean disabled;
+-
+-   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+-                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+-                typeName);
+-
+-   ASSERT(confDictRef != NULL);
+-
+-   /*
+-    * XXX Skip doing the strcmp() to verify the auth type since we only
+-    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+-    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+-    */
+-   disabled = VMTools_ConfigGetBoolean(confDictRef,
+-                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
+-                                       authnDisabledName,
+-                                       VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+-   return !disabled;
+-}
+-
+-
+ /*
+  *-----------------------------------------------------------------------------
+  *
diff -Nru open-vm-tools-11.2.5/debian/patches/CVE-2023-20900.patch open-vm-tools-11.2.5/debian/patches/CVE-2023-20900.patch
--- open-vm-tools-11.2.5/debian/patches/CVE-2023-20900.patch	1970-01-01 00:00:00.000000000 +0000
+++ open-vm-tools-11.2.5/debian/patches/CVE-2023-20900.patch	2023-09-06 18:17:28.000000000 +0000
@@ -0,0 +1,31 @@
+From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Fri, 18 Aug 2023 11:23:53 -0700
+Subject: [PATCH] Address CVE-2023-20900
+
+VGAuth: Allow only X509 certs to verify the SAML token signature.
+
+---
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+===================================================================
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc,
+     */
+    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
+    if (bRet == FALSE) {
+-      g_warning("failed to register ID\n");
++      g_warning("Failed to register ID\n");
++      goto done;
++   }
++
++   /* Use only X509 certs to validate the signature */
++   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
++                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
++      g_warning("Failed to limit allowed key data\n");
+       goto done;
+    }
+ 
diff -Nru open-vm-tools-11.2.5/debian/patches/series open-vm-tools-11.2.5/debian/patches/series
--- open-vm-tools-11.2.5/debian/patches/series	2022-08-24 08:28:40.000000000 +0000
+++ open-vm-tools-11.2.5/debian/patches/series	2023-09-06 18:17:28.000000000 +0000
@@ -1,3 +1,5 @@
 use-debian-pam
 debian/scsi-udev-rule
 1125-Properly-check-authorization-on-incoming-guestOps-re.patch
+2023-20867-Remove-some-dead-code-1110-1125.patch
+CVE-2023-20900.patch