commit open-vm-tools for openSUSE:Factory

Thu, 22 Jun 2023 14:25:11 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package open-vm-tools for openSUSE:Factory 
checked in at 2023-06-22 23:24:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/open-vm-tools (Old)
 and      /work/SRC/openSUSE:Factory/.open-vm-tools.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "open-vm-tools"

Thu Jun 22 23:24:51 2023 rev:112 rq:1094245 version:12.2.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/open-vm-tools/open-vm-tools.changes      
2023-05-09 15:02:09.029779531 +0200
+++ /work/SRC/openSUSE:Factory/.open-vm-tools.new.15902/open-vm-tools.changes   
2023-06-22 23:24:57.921664064 +0200
@@ -1,0 +2,8 @@
+Mon Jun 12 15:01:15 UTC 2023 - Kirk Allan <kal...@suse.com>
+
+- Fix (bsc#1212143) - (CVE-2023-20867) - VUL-0: CVE-2023-20867:
+  open-vm-tools: Authentication Bypass vulnerability in the vgauth
+  module
+  + Add patch: 2023-20867-Remove-some-dead-code.patch
+
+-------------------------------------------------------------------

New:
----
  2023-20867-Remove-some-dead-code.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ open-vm-tools.spec ++++++
--- /var/tmp/diff_new_pack.XFB0wP/_old  2023-06-22 23:24:58.705662075 +0200
+++ /var/tmp/diff_new_pack.XFB0wP/_new  2023-06-22 23:24:58.713662054 +0200
@@ -155,6 +155,7 @@
 #Upstream patches
 Patch2:         0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch
 Patch3:         0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch
+Patch4:         2023-20867-Remove-some-dead-code.patch
 
 #SUSE specific patches
 Patch0:         pam-vmtoolsd.patch
@@ -259,6 +260,7 @@
 #Upstream patches
 %patch2 -p2
 %patch3 -p2
+%patch4 -p2
 
 #SUSE specific patches
 %patch0 -p2

++++++ 2023-20867-Remove-some-dead-code.patch ++++++
>From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001
From: John Wolfe <jwo...@vmware.com>
Date: Mon, 8 May 2023 19:04:57 -0700
Subject: [PATCH] Remove some dead code.

Address CVE-2023-20867.
Remove some authentication types which were deprecated long
ago and are no longer in use. These are dead code.
---
 open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
 1 file changed, 102 deletions(-)

diff --git a/open-vm-tools/services/plugins/vix/vixTools.c 
b/open-vm-tools/services/plugins/vix/vixTools.c
index 9f376a7..85c5ba7 100644
--- a/open-vm-tools/services/plugins/vix/vixTools.c
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
 #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
 #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
 
-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
-
 /*
  * The switch that controls all APIs
  */
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
 
 void GuestAuthUnimpersonate();
 
-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
-                                                     const char *typeName);
-
 #if SUPPORT_VGAUTH
 
 VGAuthError TheVGAuthContext(VGAuthContext **ctx);
@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader 
*requestMsg,   // IN
                                           userToken);
       break;
    }
-   case VIX_USER_CREDENTIAL_ROOT:
-   {
-      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) 
&&
-          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
-                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) 
{
-          /*
-           * Don't accept hashed shared secret if disabled.
-           */
-          g_message("%s: Requested authentication type has been disabled.\n",
-                    __FUNCTION__);
-          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
-          goto done;
-      }
-   }
-   // fall through
-
-   case VIX_USER_CREDENTIAL_CONSOLE_USER:
-      err = VixToolsImpersonateUserImplEx(NULL,
-                                          credentialType,
-                                          NULL,
-                                          loadUserProfile,
-                                          userToken);
-      break;
    case VIX_USER_CREDENTIAL_NAME_PASSWORD:
    case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
    case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const 
*credentialTypeStr,         // IN
       }
 
       /*
-       * If the VMX asks to be root, then we allow them.
-       * The VMX will make sure that only it will pass this value in,
-       * and only when the VM and host are configured to allow this.
-       */
-      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
-            && (thisProcessRunsAsRoot)) {
-         *userToken = PROCESS_CREATOR_USER_TOKEN;
-
-         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
-         err = VIX_OK;
-         goto quit;
-      }
-
-      /*
-       * If the VMX asks to be root, then we allow them.
-       * The VMX will make sure that only it will pass this value in,
-       * and only when the VM and host are configured to allow this.
-       *
-       * XXX This has been deprecated XXX
-       */
-      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
-            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
-         *userToken = PROCESS_CREATOR_USER_TOKEN;
-
-         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
-         err = VIX_OK;
-         goto quit;
-      }
-
-      /*
        * If the VMX asks us to run commands in the context of the current
        * user, make sure that the user who requested the command is the
        * same as the current user.
@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode,           
               // IN
 /*
  *-----------------------------------------------------------------------------
  *
- * VixToolsCheckIfAuthenticationTypeEnabled --
- *
- *    Checks to see if a given authentication type has been
- *    disabled via the tools configuration.
- *
- * Return value:
- *    TRUE if enabled, FALSE otherwise.
- *
- * Side effects:
- *    None
- *
- *-----------------------------------------------------------------------------
- */
-
-static Bool
-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
-                                         const char *typeName)      // IN
-{
-   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
-   gboolean disabled;
-
-   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
-                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
-                typeName);
-
-   ASSERT(confDictRef != NULL);
-
-   /*
-    * XXX Skip doing the strcmp() to verify the auth type since we only
-    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
-    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
-    */
-   disabled = VMTools_ConfigGetBoolean(confDictRef,
-                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
-                                       authnDisabledName,
-                                       
VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
-
-   return !disabled;
-}
-
-
-/*
- *-----------------------------------------------------------------------------
- *
  * VixTools_ProcessVixCommand --
  *
  *
-- 
2.6.2

Reply via email to