Hi security team,
I've prepared uploads for bullseye and buster, diffs are attached.
CI is also happy:
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines
Is it okay to upload to *-security?
Thanks,
Bernd
On Wed, 2022-08-24 at 09:18 +0200, Salvatore Bonaccorso wrote:
> Source: open-vm-tools
> Version: 2:12.0.5-2
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for open-vm-tools.
>
> CVE-2022-31676[0]:
> > VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege
> > escalation vulnerability. A malicious actor with local non-
> > administrative access to the Guest OS can escalate privileges as a
> > root user in the virtual machine.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31676
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
> [1] https://www.vmware.com/security/advisories/VMSA-2022-0024.html
> [2]
> https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
index df6de3138..015d78d49 100644
--- a/debian/.gitlab-ci.yml
+++ b/debian/.gitlab-ci.yml
@@ -3,7 +3,7 @@ include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'bullseye'
SALSA_CI_DISABLE_APTLY: 0
SALSA_CI_DISABLE_AUTOPKGTEST: 0
SALSA_CI_DISABLE_BLHC: 0
diff --git a/debian/changelog b/debian/changelog
index e37895416..234dd7c95 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+open-vm-tools (2:11.2.5-2+deb11u1) bullseye-security; urgency=high
+
+ * [67b16ff] Properly check authorization on incoming guestOps requests.
+ (Closes: #1018012 CVE-2022-31676)
+ * [747392e] gbp: build in bullseye
+ * [80c2e62] gitlab-ci: build in bullseye
+
+ -- Bernd Zeimetz <b...@debian.org> Wed, 24 Aug 2022 10:28:40 +0200
+
open-vm-tools (2:11.2.5-2) unstable; urgency=medium
* [7f14954] Drop max_nic_count patch.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index bf4163e8d..83ee87ce1 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,6 @@
+[DEFAULT]
+debian-branch = bullseye
+
[buildpackage]
sign-tags = True
posttag = git push && git push --tags
diff --git a/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch b/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
new file mode 100644
index 000000000..25cfbe9ac
--- /dev/null
+++ b/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
@@ -0,0 +1,33 @@
+From 4f5cfc23dd3357bafc8b699dd5c558f000a534c3 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwo...@vmware.com>
+Date: Wed, 10 Aug 2022 06:12:02 -0700
+Subject: [PATCH] Properly check authorization on incoming guestOps requests
+
+Fix public pipe request checks. Only a SessionRequest type should
+be accepted on the public pipe.
+---
+ open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+===================================================================
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/proto.c
++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2016,2019-2022 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -1201,6 +1201,10 @@ Proto_SecurityCheckRequest(ServiceConnec
+ VGAuthError err;
+ gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn);
+
++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) {
++ return VGAUTH_E_PERMISSION_DENIED;
++ }
++
+ switch (req->reqType) {
+ /*
+ * This comes over the public connection; alwsys let it through.
diff --git a/debian/patches/series b/debian/patches/series
index 166107320..381f418ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
use-debian-pam
debian/scsi-udev-rule
+1125-Properly-check-authorization-on-incoming-guestOps-re.patch
diff --git a/debian/changelog b/debian/changelog
index 8432b78a2..1c82a5bf1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+open-vm-tools (2:10.3.10-1+deb10u3) buster-security; urgency=high
+
+ * [a69beac] Properly check authorization on incoming guestOps requests
+ (Closes: #1018012, CVE-2022-31676)
+
+ -- Bernd Zeimetz <b...@debian.org> Wed, 24 Aug 2022 10:14:57 +0200
+
open-vm-tools (2:10.3.10-1+deb10u2) buster; urgency=medium
* [d512626] Fix memory leaks and error handling.
diff --git a/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch b/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch
new file mode 100644
index 000000000..15c3f037a
--- /dev/null
+++ b/debian/patches/10310-Properly-check-authorization-on-incoming-guestOps-r.patch
@@ -0,0 +1,33 @@
+From 6ec11b118e2101b1287836b6f0ebab3ccad69642 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwo...@vmware.com>
+Date: Wed, 10 Aug 2022 06:22:46 -0700
+Subject: [PATCH] Properly check authorization on incoming guestOps requests
+
+Fix public pipe request checks. Only a SessionRequest type should
+be accepted on the public pipe.
+---
+ open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+===================================================================
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/proto.c
++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2016,2022 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnec
+ VGAuthError err;
+ gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn);
+
++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) {
++ return VGAUTH_E_PERMISSION_DENIED;
++ }
++
+ switch (req->reqType) {
+ /*
+ * This comes over the public connection; alwsys let it through.
diff --git a/debian/patches/series b/debian/patches/series
index b4413b6cb..715b40504 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ fix-buster-OS-reporting
015db4c0_Fix-memory-leaks-in-vix-tools-plugin
7b874f37_End-VGAuth-impersonation-in-the-case-of-error
26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel
+10310-Properly-check-authorization-on-incoming-guestOps-r.patch
