Hi Moritz,
as usual, stable/oldstable updates prepared, diffs are attached to this
mail as salsa seems to have some issues right now.
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/ -
bookworm/bullseye branches are actually there.
Please let me know if/when I can upload.
Thanks,
Bernd
--
Bernd ZeimetzDebian GNU/Linux Developer
http://bzed.dehttp://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/changelog b/debian/changelog
index a68092c65..b550b2ff4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+open-vm-tools (2:12.2.0-1+deb12u2) bookworm-security; urgency=medium
+
+ * Closes: #1054666
+ * [81326c8] Fixing CVE-2023-34059.
+This fixes a file descriptor hijack vulnerability in the vmware-user-suid-wrapper
+command. A malicious actor with non-root privileges might have been able to hijack the
+/dev/uinput file descriptor allowing them to simulate user inputs.
+ * [95acc49] Fixing CVE-2023-34058.
+This fixes a SAML Token Signature Bypass vulnerability. A malicious actor
+that has been granted Guest Operation Privileges in a target virtual
+machine might have been able to elevate their privileges if that target
+virtual machine has been assigned a more privileged Guest Alias.
+
+ -- Bernd Zeimetz Mon, 30 Oct 2023 17:59:25 +0100
+
open-vm-tools (2:12.2.0-1+deb12u1) bookworm-security; urgency=medium
* [3812674] Fixing CVE-2023-20867, CVE-2023-20900
diff --git a/debian/patches/CVE-2023-34058.patch b/debian/patches/CVE-2023-34058.patch
new file mode 100644
index 0..79cea095c
--- /dev/null
+++ b/debian/patches/CVE-2023-34058.patch
@@ -0,0 +1,234 @@
+From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001
+From: John Wolfe
+Date: Wed, 18 Oct 2023 09:04:07 -0700
+Subject: [PATCH] Address CVE-2023-34058
+
+VGAuth: don't accept tokens with unrelated certs.
+
+---
+ open-vm-tools/vgauth/common/certverify.c| 145
+ open-vm-tools/vgauth/common/certverify.h| 4 +
+ open-vm-tools/vgauth/common/prefs.h | 2 +
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++
+ 4 files changed, 165 insertions(+)
+
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/common/certverify.c
+===
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/common/certverify.c
pkg-open-vm-tools/open-vm-tools/vgauth/common/certverify.c
+@@ -914,3 +914,148 @@ done:
+
+return err;
+ }
++
++
++/*
++ * Finds a cert with a subject (if checkSubj is set) or issuer (if
++ * checkSUbj is unset), matching 'val' in the list
++ * of certs. Returns a match or NULL.
++ */
++
++static X509 *
++FindCert(GList *cList,
++ X509_NAME *val,
++ int checkSubj)
++{
++ GList *l;
++ X509 *c;
++ X509_NAME *v;
++
++ l = cList;
++ while (l != NULL) {
++ c = (X509 *) l->data;
++ if (checkSubj) {
++ v = X509_get_subject_name(c);
++ } else {
++ v = X509_get_issuer_name(c);
++ }
++ if (X509_NAME_cmp(val, v) == 0) {
++ return c;
++ }
++ l = l->next;
++ }
++ return NULL;
++}
++
++
++/*
++ **
++ * CertVerify_CheckForUnrelatedCerts -- */ /**
++ *
++ * Looks over a list of certs. If it finds that they are not all
++ * part of the same chain, returns failure.
++ *
++ * @param[in] numCerts The number of certs in the chain.
++ * @param[in] pemCerts The chain of certificates to verify.
++ *
++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
++ *
++ **
++ */
++
++VGAuthError
++CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts)
++{
++ VGAuthError err = VGAUTH_E_FAIL;
++ int chainLen = 0;
++ int i;
++ X509 **certs = NULL;
++ GList *rawList = NULL;
++ X509 *baseCert;
++ X509 *curCert;
++ X509_NAME *subject;
++ X509_NAME *issuer;
++
++ /* common single cert case; nothing to do */
++ if (numCerts == 1) {
++ return VGAUTH_E_OK;
++ }
++
++ /* convert all PEM to X509 objects */
++ certs = g_malloc0(numCerts * sizeof(X509 *));
++ for (i = 0; i < numCerts; i++) {
++ certs[i] = CertStringToX509(pemCerts[i]);
++ if (NULL == certs[i]) {
++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
++ goto done;
++ }
++ }
++
++ /* choose the cert to start the chain. shouldn't matter which */
++ baseCert = certs[0];
++
++ /* put the rest into a list */
++ for (i = 1; i < numCerts; i++) {
++ rawList = g_list_append(rawList, certs[i]);
++ }
++
++ /* now chase down to a leaf, looking for certs the bas