Hi security team, I've prepared uploads for bullseye and buster, diffs are attached. CI is also happy: https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines
Is it okay to upload to *-security? Thanks, Bernd On Wed, 2022-08-24 at 09:18 +0200, Salvatore Bonaccorso wrote: > Source: open-vm-tools > Version: 2:12.0.5-2 > Severity: grave > Tags: security upstream fixed-upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for open-vm-tools. > > CVE-2022-31676[0]: > > VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege > > escalation vulnerability. A malicious actor with local non- > > administrative access to the Guest OS can escalate privileges as a > > root user in the virtual machine. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31676 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676 > [1] https://www.vmware.com/security/advisories/VMSA-2022-0024.html > [2] > https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml index df6de3138..015d78d49 100644 --- a/debian/.gitlab-ci.yml +++ b/debian/.gitlab-ci.yml @@ -3,7 +3,7 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'bullseye' SALSA_CI_DISABLE_APTLY: 0 SALSA_CI_DISABLE_AUTOPKGTEST: 0 SALSA_CI_DISABLE_BLHC: 0 diff --git a/debian/changelog b/debian/changelog index e37895416..234dd7c95 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +open-vm-tools (2:11.2.5-2+deb11u1) bullseye-security; urgency=high + + * [67b16ff] Properly check authorization on incoming guestOps requests. + (Closes: #1018012 CVE-2022-31676) + * [747392e] gbp: build in bullseye + * [80c2e62] gitlab-ci: build in bullseye + + -- Bernd Zeimetz <b...@debian.org> Wed, 24 Aug 2022 10:28:40 +0200 + open-vm-tools (2:11.2.5-2) unstable; urgency=medium * [7f14954] Drop max_nic_count patch. diff --git a/debian/gbp.conf b/debian/gbp.conf index bf4163e8d..83ee87ce1 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,6 @@ +[DEFAULT] +debian-branch = bullseye + [buildpackage] sign-tags = True posttag = git push && git push --tags diff --git a/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch b/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch new file mode 100644 index 000000000..25cfbe9ac --- /dev/null +++ b/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch @@ -0,0 +1,33 @@ +From 4f5cfc23dd3357bafc8b699dd5c558f000a534c3 Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwo...@vmware.com> +Date: Wed, 10 Aug 2022 06:12:02 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c +=================================================================== +--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/proto.c ++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1201,6 +1201,10 @@ Proto_SecurityCheckRequest(ServiceConnec + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. diff --git a/debian/patches/series b/debian/patches/series index 166107320..381f418ad 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ use-debian-pam debian/scsi-udev-rule +1125-Properly-check-authorization-on-incoming-guestOps-re.patch
diff --git a/debian/changelog b/debian/changelog index 8432b78a2..1c82a5bf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +open-vm-tools (2:10.3.10-1+deb10u3) buster-security; urgency=high + + * [a69beac] Properly check authorization on incoming guestOps requests + (Closes: #1018012, CVE-2022-31676) + + -- Bernd Zeimetz <b...@debian.org> Wed, 24 Aug 2022 10:14:57 +0200 + open-vm-tools (2:10.3.10-1+deb10u2) buster; urgency=medium * [d512626] Fix memory leaks and error handling. diff --git a/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch b/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch new file mode 100644 index 000000000..15c3f037a --- /dev/null +++ b/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch @@ -0,0 +1,33 @@ +From 6ec11b118e2101b1287836b6f0ebab3ccad69642 Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwo...@vmware.com> +Date: Wed, 10 Aug 2022 06:22:46 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c +=================================================================== +--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/proto.c ++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016,2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnec + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. diff --git a/debian/patches/series b/debian/patches/series index b4413b6cb..715b40504 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ fix-buster-OS-reporting 015db4c0_Fix-memory-leaks-in-vix-tools-plugin 7b874f37_End-VGAuth-impersonation-in-the-case-of-error 26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel +10310-Properly-check-authorization-on-incoming-guestOps-r.patch