diff -Nru open-vm-tools-12.3.0/ReleaseNotes.md open-vm-tools-12.3.5/ReleaseNotes.md
--- open-vm-tools-12.3.0/ReleaseNotes.md 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/ReleaseNotes.md 2023-10-26 15:39:15.000000000 +0000
@@ -1,8 +1,8 @@
-# open-vm-tools 12.3.0 Release Notes
+# open-vm-tools 12.3.5 Release Notes
-Updated on: 31 August 2023
+Updated on: 26 October 2023
-open-vm-tools | 31 AUGUST 2023 | Build 22234872
+open-vm-tools | 26 OCTOBER 2023 | Build 22544099
Check back for additions and updates to these release notes.
@@ -10,7 +10,7 @@
The release notes cover the following topics:
-- [open-vm-tools 12.3.0 Release Notes](#open-vm-tools-1230-release-notes)
+- [open-vm-tools 12.3.5 Release Notes](#open-vm-tools-1235-release-notes)
- [What's in the Release Notes](#whats-in-the-release-notes)
- [What's New](#whats-new)
- [End of Feature Support Notice](#end-of-feature-support-notice)
@@ -22,13 +22,15 @@
## What's New
-This release resolves CVE-2023-20900. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
+* This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html.
+
+* This release resolves CVE-2023-34059 which only affects open-vm-tools.
* Please see the [Resolved Issues](#resolvedissues) and [Known Issues](#knownissues) sections below.
-* A complete list of the granular changes in the open-vm-tools 12.3.0 release is available at:
+* A complete list of the granular changes in the open-vm-tools 12.3.5 release is available at:
- [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog)
+ [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog)
## End of Feature Support Notice
@@ -38,7 +40,7 @@
## Internationalization
-open-vm-tools 12.3.0 is available in the following languages:
+open-vm-tools 12.3.5 is available in the following languages:
* English
* French
@@ -60,66 +62,32 @@
## Resolved Issues
-* **This release resolves CVE-2023-20900.**
-
- For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
-
-* **Linux quiesced snapshot: "SyncDriver: failed to freeze '_filesystem_'"**
-
- The open-vm-tools 12.2.0 release had an update to the Linux quiesced snapshot operation that would avoid starting a quiesced snapshot if a filesystem had already been frozen by another process. See the [Resolved Issues](https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md#-resolved-issues) section in the open-vm-tools 12.2.0 Release Notes. That fix may have been backported into earlier versions of open-vm-tools by Linux vendors.
-
- It is possible that filesystems are being frozen in custom pre-freeze scripts to control the order in which those specific filesystems are to be frozen. The vmtoolsd process **must be informed** of all such filesystems with the help of "excludedFileSystems" setting of tools.conf.
-
- ```
- [vmbackup]
-
- excludedFileSystems=/opt/data,/opt/app/project-*,...
- ```
-
- A temporary workaround is available (starting from open-vm-tools 12.3.0) for system administrators to quickly allow a quiescing operation to succeed until the "excludedFileSystems" list can be configured. Note, if another process thaws the file system while a quiescing snapshot operation is ongoing, the snapshot may be compromised. Once the "excludedFileSystems" list is configured this setting MUST be unset (or set to false).
-
- ```
- [vmbackup]
-
- ignoreFrozenFileSystems = true
- ```
-
- This workaround is provided in the source file changes in
-
- https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2
-
- and at Linux vendors' discretion, may be backported to earlier versions of open-vm-tools.
-
-* **A number of Coverity reported issues have been addressed.**
+* **This release resolves CVE-2023-34058.**
-* **Component Manager / salt-minion: New InstallStatus "UNMANAGED".**
+ For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html.
- Salt-minion added support for "ExternalInstall" (106) to indicate an older version of salt-minion is installed on the vm and cannot be managed by the svtminion.* scripts. The Component Manager will track that as "UNMANAGED" and take no action.
+ open-vm-tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
-* **The following pull requests and issues have been addressed**
+ A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.
- * Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES
+ Note: While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that must be addressed.
- [Issue #638](https://github.com/vmware/open-vm-tools/issues/638)
- [Pull request #639](https://github.com/vmware/open-vm-tools/pull/639)
+ A patch for earlier versions of open-vm-tools is available at [CVE-2023-34058.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch).
- * Invalid argument with "\\" in Linux username (Active Directory user)
+* **This release resolves CVE-2023-34059.**
- [Issue #641](https://github.com/vmware/open-vm-tools/issues/641)
+ open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- * Improve POSIX guest identification
+ A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs.
- [Issue #647](https://github.com/vmware/open-vm-tools/issues/647)
- [Issue #648](https://github.com/vmware/open-vm-tools/issues/648)
+ A patch for earlier versions of open-vm-tools is available at [CVE-2023-34059.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch).
- * Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib"
+* **The following github.com/vmware/open-vm-tools issue have been addressed**
- [Issue #658](https://github.com/vmware/open-vm-tools/issues/658)
+ * Better cooperation between deployPkg plugin and cloud-init concerning location of 'disable_vmware_customization' flag.
- * Fix build problems with grpc
+ [Issue #310](https://github.com/vmware/open-vm-tools/issues/310)
- [Pull request #664](https://github.com/vmware/open-vm-tools/pull/664)
- [Issue #676](https://github.com/vmware/open-vm-tools/issues/676)
## Known Issues
diff -Nru open-vm-tools-12.3.0/debian/.gitlab-ci.yml open-vm-tools-12.3.5/debian/.gitlab-ci.yml
--- open-vm-tools-12.3.0/debian/.gitlab-ci.yml 2023-09-06 06:56:32.000000000 +0000
+++ open-vm-tools-12.3.5/debian/.gitlab-ci.yml 2023-12-05 18:41:25.000000000 +0000
@@ -9,6 +9,8 @@
SALSA_CI_DISABLE_BLHC: 0
SALSA_CI_DISABLE_LINTIAN: 0
SALSA_CI_DISABLE_PIUPARTS: 0
- SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_REPROTEST: 0
SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0
SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0
+ SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
+ SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
diff -Nru open-vm-tools-12.3.0/debian/changelog open-vm-tools-12.3.5/debian/changelog
--- open-vm-tools-12.3.0/debian/changelog 2023-10-27 11:24:07.000000000 +0000
+++ open-vm-tools-12.3.5/debian/changelog 2023-12-05 21:18:07.000000000 +0000
@@ -1,3 +1,36 @@
+open-vm-tools (2:12.3.5-3~ubuntu0.23.10.1) mantic; urgency=medium
+
+ * Backport recent open-vm-tools release v12.3.5
+ (LP: #2028420)
+
+ -- Bryce Harrington Tue, 05 Dec 2023 13:18:07 -0800
+
+open-vm-tools (2:12.3.5-3) unstable; urgency=medium
+
+ * [7699f7a] Fix typo in last upload
+
+ -- Bernd Zeimetz Mon, 27 Nov 2023 16:29:44 +0100
+
+open-vm-tools (2:12.3.5-2) unstable; urgency=medium
+
+ * [80ed173] Disable arm cross-build
+ * [61a0f4d] (Temporarily) build with diffoscope
+ * [d929c44] Fix containerinfo plugin directory.
+ Thanks to John Wolfe (Closes: #1056205)
+
+ -- Bernd Zeimetz Mon, 27 Nov 2023 15:50:13 +0100
+
+open-vm-tools (2:12.3.5-1) unstable; urgency=high
+
+ * [1b07bee] Remove api doc build dir with dh_clean.
+ Thanks to Lucas Nussbaum (Closes: #1046018)
+ * [de2e0ba] New upstream version 12.3.5 (Closes: #1054662)
+ - New upstream release fixes two CVEs:
+ CVE-2023-34059 CVE-2023-34058
+ Closes: #1054666
+
+ -- Bernd Zeimetz Sat, 28 Oct 2023 01:41:22 +0200
+
open-vm-tools (2:12.3.0-1ubuntu0.1) mantic-security; urgency=medium
* SECURITY UPDATE: SAML Bypass
diff -Nru open-vm-tools-12.3.0/debian/clean open-vm-tools-12.3.5/debian/clean
--- open-vm-tools-12.3.0/debian/clean 2023-09-06 06:56:32.000000000 +0000
+++ open-vm-tools-12.3.5/debian/clean 2023-12-05 18:41:00.000000000 +0000
@@ -1 +1,2 @@
debian/open-vm-tools-dkms.dkms
+open-vm-tools/docs/api/build/
diff -Nru open-vm-tools-12.3.0/debian/patches/CVE-2023-34058.patch open-vm-tools-12.3.5/debian/patches/CVE-2023-34058.patch
--- open-vm-tools-12.3.0/debian/patches/CVE-2023-34058.patch 2023-10-27 11:19:07.000000000 +0000
+++ open-vm-tools-12.3.5/debian/patches/CVE-2023-34058.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,237 +0,0 @@
-From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001
-From: John Wolfe
-Date: Wed, 18 Oct 2023 09:04:07 -0700
-Subject: [PATCH] Address CVE-2023-34058
-
-VGAuth: don't accept tokens with unrelated certs.
-
----
- open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++++++++
- open-vm-tools/vgauth/common/certverify.h | 4 +
- open-vm-tools/vgauth/common/prefs.h | 2 +
- open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++
- 4 files changed, 165 insertions(+)
-
-diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c
-index 0ed78ed..e1d7cc6 100644
---- a/open-vm-tools/vgauth/common/certverify.c
-+++ b/open-vm-tools/vgauth/common/certverify.c
-@@ -914,3 +914,148 @@ done:
-
- return err;
- }
-+
-+
-+/*
-+ * Finds a cert with a subject (if checkSubj is set) or issuer (if
-+ * checkSUbj is unset), matching 'val' in the list
-+ * of certs. Returns a match or NULL.
-+ */
-+
-+static X509 *
-+FindCert(GList *cList,
-+ X509_NAME *val,
-+ int checkSubj)
-+{
-+ GList *l;
-+ X509 *c;
-+ X509_NAME *v;
-+
-+ l = cList;
-+ while (l != NULL) {
-+ c = (X509 *) l->data;
-+ if (checkSubj) {
-+ v = X509_get_subject_name(c);
-+ } else {
-+ v = X509_get_issuer_name(c);
-+ }
-+ if (X509_NAME_cmp(val, v) == 0) {
-+ return c;
-+ }
-+ l = l->next;
-+ }
-+ return NULL;
-+}
-+
-+
-+/*
-+ ******************************************************************************
-+ * CertVerify_CheckForUnrelatedCerts -- */ /**
-+ *
-+ * Looks over a list of certs. If it finds that they are not all
-+ * part of the same chain, returns failure.
-+ *
-+ * @param[in] numCerts The number of certs in the chain.
-+ * @param[in] pemCerts The chain of certificates to verify.
-+ *
-+ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
-+ *
-+ ******************************************************************************
-+ */
-+
-+VGAuthError
-+CertVerify_CheckForUnrelatedCerts(int numCerts,
-+ const char **pemCerts)
-+{
-+ VGAuthError err = VGAUTH_E_FAIL;
-+ int chainLen = 0;
-+ int i;
-+ X509 **certs = NULL;
-+ GList *rawList = NULL;
-+ X509 *baseCert;
-+ X509 *curCert;
-+ X509_NAME *subject;
-+ X509_NAME *issuer;
-+
-+ /* common single cert case; nothing to do */
-+ if (numCerts == 1) {
-+ return VGAUTH_E_OK;
-+ }
-+
-+ /* convert all PEM to X509 objects */
-+ certs = g_malloc0(numCerts * sizeof(X509 *));
-+ for (i = 0; i < numCerts; i++) {
-+ certs[i] = CertStringToX509(pemCerts[i]);
-+ if (NULL == certs[i]) {
-+ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
-+ goto done;
-+ }
-+ }
-+
-+ /* choose the cert to start the chain. shouldn't matter which */
-+ baseCert = certs[0];
-+
-+ /* put the rest into a list */
-+ for (i = 1; i < numCerts; i++) {
-+ rawList = g_list_append(rawList, certs[i]);
-+ }
-+
-+ /* now chase down to a leaf, looking for certs the baseCert issued */
-+ subject = X509_get_subject_name(baseCert);
-+ while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
-+ /* pull it from the list */
-+ rawList = g_list_remove(rawList, curCert);
-+ /* set up the next find */
-+ subject = X509_get_subject_name(curCert);
-+ }
-+
-+ /*
-+ * walk up to the root cert, by finding a cert where the
-+ * issuer equals the subject of the current
-+ */
-+ issuer = X509_get_issuer_name(baseCert);
-+ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
-+ /* pull it from the list */
-+ rawList = g_list_remove(rawList, curCert);
-+ /* set up the next find */
-+ issuer = X509_get_issuer_name(curCert);
-+ }
-+
-+ /*
-+ * At this point, anything on the list should be certs that are not part
-+ * of the chain that includes the original 'baseCert'.
-+ *
-+ * For a valid token, the list should be empty.
-+ */
-+ chainLen = g_list_length(rawList);
-+ if (chainLen != 0 ) {
-+ GList *l;
-+
-+ g_warning("%s: %d unrelated certs found in list\n",
-+ __FUNCTION__, chainLen);
-+
-+ /* debug helper */
-+ l = rawList;
-+ while (l != NULL) {
-+ X509* c = (X509 *) l->data;
-+ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
-+
-+ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
-+ free(s);
-+ l = l->next;
-+ }
-+
-+ goto done;
-+ }
-+
-+ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__);
-+ err = VGAUTH_E_OK;
-+
-+done:
-+ g_list_free(rawList);
-+ for (i = 0; i < numCerts; i++) {
-+ X509_free(certs[i]);
-+ }
-+ g_free(certs);
-+ return err;
-+}
-diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h
-index d7c6410..f582bb8 100644
---- a/open-vm-tools/vgauth/common/certverify.h
-+++ b/open-vm-tools/vgauth/common/certverify.h
-@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash,
- size_t signatureLen,
- const unsigned char *signature);
-
-+
-+VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
-+ const char **pemCerts);
-+
- gchar * CertVerify_StripPEMCert(const gchar *pemCert);
-
- gchar * CertVerify_CertToX509String(const gchar *pemCert);
-diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
-index ff11692..87ccc9b 100644
---- a/open-vm-tools/vgauth/common/prefs.h
-+++ b/open-vm-tools/vgauth/common/prefs.h
-@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
- #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir"
- /** The number of seconds slack allowed in either direction in SAML token date checks. */
- #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment"
-+/** If unrelated certificates are allowed in a SAML token */
-+#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts"
-
- /** Ticket group name. */
- #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket"
-diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-index 14cba1b..57e9316 100644
---- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-@@ -49,6 +49,7 @@
- #include "vmxlog.h"
-
- static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
-+static gboolean gAllowUnrelatedCerts = FALSE;
- static xmlSchemaPtr gParsedSchemas = NULL;
- static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
-
-@@ -369,6 +370,10 @@ LoadPrefs(void)
- VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
- Log("%s: Allowing %d of clock skew for SAML date validation\n",
- __FUNCTION__, gClockSkewAdjustment);
-+ gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
-+ VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
-+ VGAUTH_PREF_GROUP_NAME_SERVICE,
-+ FALSE);
- }
-
-
-@@ -1697,6 +1702,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText,
- return VGAUTH_E_AUTHENTICATION_DENIED;
- }
-
-+ if (!gAllowUnrelatedCerts) {
-+ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
-+ if (err != VGAUTH_E_OK) {
-+ VMXLog_Log(VMXLOG_LEVEL_WARNING,
-+ "Unrelated certs found in SAML token, failing\n");
-+ return VGAUTH_E_AUTHENTICATION_DENIED;
-+ }
-+ }
-+
- subj.type = SUBJECT_TYPE_NAMED;
- subj.name = *subjNameOut;
- err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
---
-2.6.2
-
diff -Nru open-vm-tools-12.3.0/debian/patches/CVE-2023-34059.patch open-vm-tools-12.3.5/debian/patches/CVE-2023-34059.patch
--- open-vm-tools-12.3.0/debian/patches/CVE-2023-34059.patch 2023-10-27 11:19:11.000000000 +0000
+++ open-vm-tools-12.3.5/debian/patches/CVE-2023-34059.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,182 +0,0 @@
-From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001
-From: John Wolfe
-Date: Wed, 18 Oct 2023 09:11:54 -0700
-Subject: [PATCH] Address CVE-2023-34059
-
-Fix file descriptor vulnerability in the open-vm-tools
- vmware-user-suid-wrapper on Linux.
- - Moving the privilege drop logic (dropping privilege to the real uid
- and gid of the process for the vmusr service) from suidWrapper to
- vmtoolsd code.
-
----
- open-vm-tools/services/vmtoolsd/mainPosix.c | 76 +++++++++++++++++++++++++++
- open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++-------
- 2 files changed, 79 insertions(+), 23 deletions(-)
-
-diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
-index fd2667c..8b46979 100644
---- a/open-vm-tools/services/vmtoolsd/mainPosix.c
-+++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
-@@ -28,10 +28,12 @@
- #include
- #include
- #include
-+#include
- #include
- #include "file.h"
- #include "guestApp.h"
- #include "hostinfo.h"
-+#include "su.h"
- #include "system.h"
- #include "unicode.h"
- #include "util.h"
-@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
-
-
- /**
-+ * Tools function to set close-on-exec flg for the fd.
-+ *
-+ * @param[in] fd open file descriptor.
-+ *
-+ * @return TRUE on success, FALSE otherwise.
-+ */
-+
-+static gboolean
-+ToolsSetCloexecFlag(int fd)
-+{
-+ int flags;
-+
-+ if (fd == -1) {
-+ /* fd is not present, no need to manipulate */
-+ return TRUE;
-+ }
-+
-+ flags = fcntl(fd, F_GETFD, 0);
-+ if (flags < 0) {
-+ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
-+ return FALSE;
-+ }
-+ flags |= FD_CLOEXEC;
-+ if (fcntl(fd, F_SETFD, flags) < 0) {
-+ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
-+ return FALSE;
-+ }
-+
-+ return TRUE;
-+}
-+
-+
-+/**
-+ * Tools function to close the fds.
-+ */
-+
-+static void
-+ToolsCloseFds(void)
-+{
-+ if (gState.ctx.blockFD != -1) {
-+ close(gState.ctx.blockFD);
-+ }
-+
-+ /*
-+ * uinputFD will be available only for wayland.
-+ */
-+ if (gState.ctx.uinputFD != -1) {
-+ close(gState.ctx.uinputFD);
-+ }
-+}
-+
-+
-+/**
- * Tools daemon entry function.
- *
- * @param[in] argc Argument count.
-@@ -210,6 +265,27 @@ main(int argc,
- g_free(argvCopy);
- argvCopy = NULL;
-
-+ /*
-+ * Drops privilege to the real uid and gid of the process
-+ * for the "vmusr" service.
-+ */
-+ if (TOOLS_IS_USER_SERVICE(&gState)) {
-+ uid_t uid = getuid();
-+ gid_t gid = getgid();
-+
-+ if ((Id_SetREUid(uid, uid) != 0) ||
-+ (Id_SetREGid(gid, gid) != 0)) {
-+ g_printerr("could not drop privileges: %s", strerror(errno));
-+ ToolsCloseFds();
-+ goto exit;
-+ }
-+ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
-+ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
-+ ToolsCloseFds();
-+ goto exit;
-+ }
-+ }
-+
- if (gState.pidFile != NULL) {
- /*
- * If argv[0] is not an absolute path, make it so; all other path
-diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
-index e9d7e50..a19af53 100644
---- a/open-vm-tools/vmware-user-suid-wrapper/main.c
-+++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
-@@ -156,8 +156,7 @@ MaskSignals(void)
- *
- * Obtains the library directory from the Tools locations database, then
- * opens a file descriptor (while still root) to add and remove blocks,
-- * drops privilege to the real uid of this process, and finally starts
-- * vmware-user.
-+ * and finally starts vmware-user.
- *
- * Results:
- * Parent: TRUE on success, FALSE on failure.
-@@ -173,8 +172,6 @@ static Bool
- StartVMwareUser(char *const envp[])
- {
- pid_t pid;
-- uid_t uid;
-- gid_t gid;
- int blockFd = -1;
- char blockFdStr[8];
- int uinputFd = -1;
-@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
- }
-
- /*
-- * Now create a child process, obtain a file descriptor as root, downgrade
-- * privilege, and run vmware-user.
-+ * Now create a child process, obtain a file descriptor as root and
-+ * run vmware-user.
- */
- pid = fork();
- if (pid == -1) {
-@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
- }
- }
-
-- uid = getuid();
-- gid = getgid();
--
-- if ((setreuid(uid, uid) != 0) ||
-- (setregid(gid, gid) != 0)) {
-- Error("could not drop privileges: %s\n", strerror(errno));
-- if (blockFd != -1) {
-- close(blockFd);
-- }
-- if (useWayland) {
-- if (uinputFd != -1) {
-- close(uinputFd);
-- }
-- }
-- return FALSE;
-- }
--
- /*
- * Since vmware-user provides features that don't depend on vmblock, we
- * invoke vmware-user even if we couldn't obtain a file descriptor or we
---
-2.6.2
-
diff -Nru open-vm-tools-12.3.0/debian/patches/series open-vm-tools-12.3.5/debian/patches/series
--- open-vm-tools-12.3.0/debian/patches/series 2023-10-27 11:19:11.000000000 +0000
+++ open-vm-tools-12.3.5/debian/patches/series 2023-12-05 21:18:07.000000000 +0000
@@ -1,4 +1,2 @@
use-debian-pam
debian/scsi-udev-rule
-CVE-2023-34058.patch
-CVE-2023-34059.patch
diff -Nru open-vm-tools-12.3.0/debian/rules open-vm-tools-12.3.5/debian/rules
--- open-vm-tools-12.3.0/debian/rules 2023-09-06 06:56:32.000000000 +0000
+++ open-vm-tools-12.3.5/debian/rules 2023-12-05 18:41:25.000000000 +0000
@@ -83,8 +83,8 @@
rm -rf debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/serviceDiscovery/
# moving open-vm-tools-containerinfo files
- mkdir -p debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/containerinfo/
- mv debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/libcontainerInfo.so debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/containerinfo/
+ mkdir -p debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/
+ mv debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/libcontainerInfo.so debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/
ifneq (,$(findstring $(DEB_HOST_ARCH), amd64))
# moving open-vm-tools-salt-minion files
diff -Nru open-vm-tools-12.3.0/open-vm-tools/ChangeLog open-vm-tools-12.3.5/open-vm-tools/ChangeLog
--- open-vm-tools-12.3.0/open-vm-tools/ChangeLog 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/ChangeLog 2023-10-26 15:39:15.000000000 +0000
@@ -1,3 +1,119 @@
+commit 6acd1f6742a8fc0dea9cabf7ba15416a2daf5075
+Author: Katy Feng
+Date: Thu Oct 26 08:35:59 2023 -0700
+
+ Update the ReleaseNotes.md for the 12.3.5 open-vm-tools release.
+
+commit d5a0ca16b64730507735281012bc3a4660c5b46c
+Author: Katy Feng
+Date: Wed Oct 25 11:13:15 2023 -0700
+
+ Prepare for the open-vm-tools 12.3.5 release.
+ - Update the tools version in the configure.ac.
+ - Update the build numbers in the buldNumber.h.
+
+commit ca8bde40e2bb2e03b5f3a38530f6be0d4b19de34
+Author: Katy Feng
+Date: Tue Oct 17 15:31:51 2023 -0700
+
+ Update the ChangeLog file with the changes in the 12.3.5 open-vm-tools release.
+ - plus the 12.3.0 open-vm-tools release point in the ChangeLog.
+
+commit 1bfe23d728b74e08f4f65cd9b0093ca73937003a
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ Don't accept tokens with unrelated certs
+
+ If a SAML token has a cert that's not a part of a chain,
+ fail the token as invalid.
+
+commit 63f7c79c4aecb14d37cc4ce9da509419e31d394f
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx
+ on Linux
+
+ Moving the privilege drop logic (dropping privilege to the real uid and
+ gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
+ Now the vmtoolsd is not executed with dropped privileges (started as setuid
+ program) and the dumpable attribute of the process is not reset.
+ The unprivileged user will not have access to the privileged file descriptors
+ in the vmtoolsd vmusr process.
+ Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing
+ the file descriptors being inherited any further from the vmtoolsd.
+
+commit 3b5308bb4bdf3eeebd49808eb0efa015aa183772
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ Suppress optional arg to backup scripts when empty string.
+ Backup scripts can be called with an optional argument. Don't pass the
+ optional arg to the script if it's an empty string.
+
+commit 395cb80dc14e86f07e22541ae5ff205ad695056e
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ Checking flag 'disable_vmware_customization' in more cloud-init config files
+
+ Currently, deployPkg plugin checks the existence of flag
+ 'disable_vmware_customization: false' in the /etc/cloud/cloud.cfg file
+ to determine if VMware customization is enabled or not on cloud-init
+ side when cloud-init is available in guest.
+ Both cloud-init team and customers suggested that it's better practice to
+ put local configuration like this flag into some .cfg files under
+ /etc/cloud/cloud.cfg.d directory, ex: /etc/cloud/cloud.cfg.d/somefile.cfg
+
+ This change implements the following adjustments to make sure we handle
+ this flag the same way as cloud-init does in ds-identify and Datasource:
+ 1. Instead of regex matching flag 'disable_vmware_customization: false',
+ we will check the value of flag 'disable_vmware_customization':
+ If the value is 'false', it means VMware customization is enabled.
+ If the value is 'true', it means VMware customization is disabled.
+ If the flag is not set, by default VMware customization is disabled
+ on cloud-init side.
+ 2. Besides cloud-init /etc/cloud/cloud.cfg file, we will check all .cfg
+ files under /etc/cloud/cloud.cfg.d directory.
+ 3. The value of flag 'disable_vmware_customization' in .cfg files under
+ /etc/cloud/cloud.cfg.d directory will overwrite the one in
+ /etc/cloud/cloud.cfg file.
+ 4. The value of flag 'disable_vmware_customization' in a .cfg file listed
+ further down the alphabetical order under /etc/cloud/cloud.cfg.d directory
+ will overwrite the value in a .cfg file listed earier.
+ 5. If a cloud-init config file contains more than one instance of this
+ flag, the value of the later flag will overwrite the former one's.
+
+ Github Issue: https://github.com/vmware/open-vm-tools/issues/310
+
+commit d9ffb3275ada811caa8478d481cd9003766baa1c
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ Add missed 2023 copyright change.
+
+commit ba8219ee4bab927d7142e8392b20e183c589786e
+Author: Katy Feng
+Date: Tue Oct 17 15:24:48 2023 -0700
+
+ Enabling the open-vm-tools VGAuth Host Verification feature.
+
+ The Host Verified SAML token work is complete. Adding the new code to the
+ open-vm-tools source.
+
+commit 650ce059114e09cbac3594b9e1be4069febe4311
+Author: Katy Feng
+Date: Tue Oct 17 15:24:47 2023 -0700
+
+ Setting the VMware Tools version to 12.3.5.
+
+commit 865e76adf86fb38380220a3b760aa92ba5407c60
+Author: Katy Feng
+Date: Thu Aug 31 07:38:59 2023 -0700
+
+ Update of the ChangeLog with the "open-vm-tools 12.3.0" release point marker.
+
commit 4fe4b1be1d7139aa571a6431f26904e6f0b77883
Author: Katy Feng
Date: Thu Aug 31 07:32:27 2023 -0700
diff -Nru open-vm-tools-12.3.0/open-vm-tools/configure.ac open-vm-tools-12.3.5/open-vm-tools/configure.ac
--- open-vm-tools-12.3.0/open-vm-tools/configure.ac 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/configure.ac 2023-10-26 15:39:15.000000000 +0000
@@ -35,10 +35,10 @@
### Initialization
###
-TOOLS_VERSION="12.3.0"
+TOOLS_VERSION="12.3.5"
AC_INIT(
[open-vm-tools],
- [12.3.0],
+ [12.3.5],
[open-vm-tools-devel@lists.sourceforge.net])
# In order to make this configure script auto-detect situations where
@@ -1944,12 +1944,6 @@
-AM_CONDITIONAL([VMTOOLS_FS_VGAUTH_HOST_VERIFICATION],[true])
-if test "$enable_vgauth" = "yes"; then
- echo "Enabling vgauth host verification"
- CPPFLAGS="$CPPFLAGS -DVMTOOLS_FS_VGAUTH_HOST_VERIFICATION"
-fi
-
###
### Output
diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h
--- open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,12 +1,12 @@
#define BUILD_NUMBER \
- "build-22234872"
+ "build-22544099"
#define BUILD_NUMBER_NUMERIC \
- 22234872
+ 22544099
#define BUILD_NUMBER_NUMERIC_STRING \
- "22234872"
+ "22544099"
#define PRODUCT_BUILD_NUMBER \
- "product-build-44994"
+ "product-build-46049"
#define PRODUCT_BUILD_NUMBER_NUMERIC \
- 44994
+ 46049
#define PRODUCT_BUILD_NUMBER_NUMERIC_STRING \
- "44994"
+ "46049"
diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h
--- open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2006-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2006-2016,2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h
--- open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h 2023-10-26 15:39:15.000000000 +0000
@@ -1751,15 +1751,22 @@
#define TOOLS_VERSION_BANDSAW_UPDATE1_V_BASE 5
#ifndef RC_INVOKED
-#define TOOLS_VERSION_NEXT TOOLS_VERSION_TO_UINT(TOOLS_VERSION_NEXT_V)
+#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V)
#endif /* RC_INVOKED */
-#define TOOLS_VERSION_NEXT_V_MJR 12
-#define TOOLS_VERSION_NEXT_V_MNR 3
-#define TOOLS_VERSION_NEXT_V_BASE 0
+#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MJR 12
+#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MNR 3
+#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_BASE 0
-#define TOOLS_VERSION_CURRENT TOOLS_VERSION_NEXT
-#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_NEXT)
-#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_NEXT)
+#ifndef RC_INVOKED
+#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1 TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V)
+#endif /* RC_INVOKED */
+#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MJR 12
+#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MNR 3
+#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_BASE 5
+
+#define TOOLS_VERSION_CURRENT TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1
+#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1)
+#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1)
/*
* The extended Tools version is the current Tools version with the
diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c
--- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (c) 2006-2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2006-2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -1236,7 +1236,6 @@
{
static const char cfgName[] = "cust.cfg";
static const char metadataName[] = "metadata";
- static const char cloudInitConfigFilePath[] = "/etc/cloud/cloud.cfg";
static const char cloudInitCommand[] = "/usr/bin/cloud-init -v";
char cloudInitCommandOutput[MAX_LENGTH_CLOUDINIT_VERSION];
int forkExecResult;
@@ -1288,7 +1287,7 @@
return USE_CLOUDINIT_OK;
}
} else {
- if (IsCloudInitEnabled(cloudInitConfigFilePath)) {
+ if (IsCloudInitCustomizationEnabled()) {
return USE_CLOUDINIT_OK;
} else {
return USE_CLOUDINIT_DISABLED;
diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c
--- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2016-2019 VMware, Inc. All rights reserved.
+ * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -18,70 +18,99 @@
#include
#include
+#include
#include
#include
#include
#include
#include "linuxDeploymentUtilities.h"
+#include "str.h"
extern LogFunction sLog;
+// The status code of flag 'disable_vmware_customization'
+typedef enum DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE {
+ DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET = 0,
+ DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE,
+ DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE,
+} DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE;
+
+// Private functions
+static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE
+GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath);
+static int
+FilterCfgExt(const struct dirent *dir);
+
/**
*----------------------------------------------------------------------------
*
- * IsCloudInitEnabled
+ * IsCloudInitCustomizationEnabled
*
- * Function to determine if cloud-init is enabled.
+ * Function to determine if cloud-init customization workflow is enabled.
* Essentially it does
- * - read a cloud-init config file
- * - Find if a particular flag is enabled or disabled.
+ * - Read all cloud-init configuration files under /etc/cloud/cloud.cfg.d/
+ * - Read the cloud-init configuration file /etc/cloud/cloud.cfg
+ * - Find if a particular flag is enabled or disabled
+ * - Particularly, the value of flag in files under /etc/cloud/cloud.cfg.d/
+ * has higher priority than the one in file /etc/cloud/cloud.cfg, and the
+ * value of flag in file listed behind in alphabetical sort under
+ * /etc/cloud/cloud.cfg.d/ has higher priority than the one in file listed
+ * in front
*
- * @param [IN] cloudFilePath path of the cloud-init config file
- * @returns TRUE if disable_vmware_customization is false and FALSE otherwise.
+ * @returns TRUE if value of the flag 'disable_vmware_customization' is false
+ * FALSE otherwise
*
*----------------------------------------------------------------------------
**/
bool
-IsCloudInitEnabled(const char *cloudFilePath)
+IsCloudInitCustomizationEnabled()
{
- bool isEnabled = false;
- FILE *cloudFile;
- char line[256];
- regex_t regex;
- const char *cloudInitRegex =
- "^\\s*disable_vmware_customization\\s*:\\s*false\\s*$";
- int reti;
-
- sLog(log_info, "Checking if cloud.cfg exists and if cloud-init is enabled.");
- cloudFile = fopen(cloudFilePath, "r");
- if (cloudFile == NULL) {
- sLog(log_info, "Could not open file: %s", strerror(errno));
- return isEnabled;
- }
-
- reti = regcomp(®ex, cloudInitRegex, 0);
- if (reti != 0) {
- char buf[256];
- regerror(reti, ®ex, buf, sizeof(buf));
- sLog(log_error, "Error compiling regex for cloud-init flag: %s", buf);
- goto done;
- }
-
- while (fgets(line, sizeof(line), cloudFile) != NULL) {
- if (regexec(®ex, line, 0, NULL, 0) == 0) {
- isEnabled = true;
- break;
+ DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus =
+ DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET;
+ static const char cloudInitBaseConfigFilePath[] = "/etc/cloud/cloud.cfg";
+ static const char cloudInitConfigDirPath[] = "/etc/cloud/cloud.cfg.d/";
+ struct dirent **fileList;
+ int i, fileCount;
+ size_t filePathLength;
+ char *filePath = NULL;
+
+ sLog(log_info, "Checking if cloud-init customization is enabled.");
+ fileCount =
+ scandir(cloudInitConfigDirPath, &fileList, FilterCfgExt, alphasort);
+ if (fileCount < 0) {
+ sLog(log_warning, "Could not scan directory %s, error: %s.",
+ cloudInitConfigDirPath, strerror(errno));
+ } else {
+ for (i = fileCount - 1; i >= 0; i--) {
+ filePathLength = Str_Strlen(cloudInitConfigDirPath, PATH_MAX) +
+ Str_Strlen(fileList[i]->d_name, FILENAME_MAX) + 1;
+ filePath = malloc(filePathLength);
+ if (filePath == NULL) {
+ sLog(log_warning, "Error allocating memory to copy '%s'.",
+ cloudInitConfigDirPath);
+ break;
+ }
+ Str_Strcpy(filePath, cloudInitConfigDirPath, filePathLength);
+ Str_Strcat(filePath, fileList[i]->d_name, filePathLength);
+ flagStatus = GetDisableVMwareCustomizationFlagStatus(filePath);
+ free(filePath);
+ filePath = NULL;
+ if (flagStatus != DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) {
+ break;
+ }
+ }
+ for (i = 0; i < fileCount; i++) {
+ free(fileList[i]);
}
}
- if (ferror(cloudFile) != 0) {
- sLog(log_warning, "Error reading file: %s", strerror(errno));
- isEnabled = false;
+ free(fileList);
+
+ if (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) {
+ flagStatus =
+ GetDisableVMwareCustomizationFlagStatus(cloudInitBaseConfigFilePath);
}
- regfree(®ex);
-done:
- fclose(cloudFile);
- return isEnabled;
+ return (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE);
}
/**
@@ -113,7 +142,7 @@
sLog(log_info, "Check if custom script(pre/post customization) exists.");
tempDir = opendir(dirPath);
if (tempDir == NULL) {
- sLog(log_warning, "Could not open directory %s: error: %s", dirPath,
+ sLog(log_warning, "Could not open directory %s: error: %s.", dirPath,
strerror(errno));
return scriptName;
}
@@ -123,7 +152,7 @@
char buf[256];
regerror(regRet, &scriptRegex, buf, sizeof(buf));
- sLog(log_error, "Error compiling regex for custom script: %s", buf);
+ sLog(log_error, "Error compiling regex for custom script: %s.", buf);
goto done;
}
@@ -131,7 +160,7 @@
if (regexec(&scriptRegex, dir->d_name, 0, NULL, 0) == 0) {
scriptName = strdup(dir->d_name);
if (scriptName == NULL) {
- sLog(log_warning, "Could not allocate memory for scriptName: %s",
+ sLog(log_warning, "Could not allocate memory for scriptName: %s.",
strerror(errno));
break;
}
@@ -145,3 +174,106 @@
return scriptName;
}
+/**
+ *----------------------------------------------------------------------------
+ *
+ * GetDisableVMwareCustomizationFlagStatus
+ *
+ * Function to get status code of the flag 'disable_vmware_customization' from
+ * a cloud-init config file.
+ * Essentially it does
+ * - Read a cloud-init config file
+ * - Get status code of the flag according to its value
+ *
+ * @param [IN] cloudInitConfigFilePath path of a cloud-int config file
+ * @returns The status code of this particular flag
+ *
+ *----------------------------------------------------------------------------
+ **/
+static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE
+GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath)
+{
+ DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus =
+ DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET;
+ FILE *cloudInitConfigFile;
+ char line[256];
+ regex_t regex;
+ size_t maxGroups = 2, flagValueLength = 0;
+ regmatch_t groupArray[maxGroups];
+ const char *flagPattern =
+ "^\\s*disable_vmware_customization\\s*:\\s*(true|false)\\s*$";
+ int reti;
+
+ cloudInitConfigFile = fopen(cloudInitConfigFilePath, "r");
+ if (cloudInitConfigFile == NULL) {
+ sLog(log_warning, "Could not open file: %s.", strerror(errno));
+ return flagStatus;
+ }
+
+ reti = regcomp(®ex, flagPattern, REG_EXTENDED);
+ if (reti != 0) {
+ char buf[256];
+ regerror(reti, ®ex, buf, sizeof(buf));
+ sLog(log_error, "Error compiling regex for cloud-init flag: %s.", buf);
+ goto done;
+ }
+
+ while (fgets(line, sizeof(line), cloudInitConfigFile) != NULL) {
+ if (regexec(®ex, line, maxGroups, groupArray, 0) == 0) {
+ flagValueLength = groupArray[1].rm_eo - groupArray[1].rm_so;
+ if (flagValueLength > 0) {
+ char flagValue[flagValueLength + 1];
+ Str_Strncpy(flagValue, flagValueLength + 1,
+ line + groupArray[1].rm_so, flagValueLength);
+ sLog(log_info,
+ "Flag 'disable_vmware_customization' set in %s with value: %s.",
+ cloudInitConfigFilePath, flagValue);
+ if (Str_Strequal(flagValue, "false")) {
+ flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE;
+ } else if (Str_Strequal(flagValue, "true")) {
+ flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE;
+ }
+ }
+ }
+ }
+ if (ferror(cloudInitConfigFile) != 0) {
+ sLog(log_warning, "Error reading file: %s.", strerror(errno));
+ flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET;
+ }
+ regfree(®ex);
+
+done:
+ fclose(cloudInitConfigFile);
+ return flagStatus;
+}
+
+/**
+ *-----------------------------------------------------------------------------
+ *
+ * FilterCfgExt
+ *
+ * Filter files with .cfg extension when calling scandir.
+ *
+ * @param [IN] dir struct dirent of a directory entry
+ * @returns 1 if dir is a regular file and its file extension is .cfg
+ * 0 otherwise
+ *
+ * ----------------------------------------------------------------------------
+ **/
+static int
+FilterCfgExt(const struct dirent *dir)
+{
+ if (!dir)
+ return 0;
+
+ if (dir->d_type == DT_REG) {
+ const char *ext = Str_Strrchr(dir->d_name, '.');
+ if ((!ext) || (ext == dir->d_name)) {
+ return 0;
+ } else if (Str_Strequal(ext, ".cfg")) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h
--- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2016-2019 VMware, Inc. All rights reserved.
+ * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -24,7 +24,7 @@
#include "imgcust-common/imgcust-api.h"
IMGCUST_API bool
-IsCloudInitEnabled(const char* configFile);
+IsCloudInitCustomizationEnabled();
IMGCUST_API char *
GetCustomScript(const char* dirPath);
diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h
--- open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2020-2021 VMware, Inc. All rights reserved.
+ * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c
--- open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2020-2021 VMware, Inc. All rights reserved.
+ * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h
--- open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-10-26 15:39:15.000000000 +0000
@@ -204,9 +204,7 @@
const char *token,
const char *username,
char *serviceUsername,
-#ifdef VMTOOLS_FS_VGAUTH_HOST_VERIFICATION
Bool hostVerified,
-#endif
void **userToken,
VGAuthUserHandle **curUserHandle);
#endif // _WIN32
diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c
--- open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved.
+ * Copyright (c) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -157,7 +157,7 @@
if (File_IsFile(scripts[index].path)) {
char *cmd;
- if (op->state->scriptArg != NULL) {
+ if (op->state->scriptArg != NULL && op->state->scriptArg[0] != '\0') {
cmd = Str_Asprintf(NULL, "\"%s\" %s \"%s\"", scripts[index].path,
scriptOp, op->state->scriptArg);
} else {
diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c
--- open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (c) 2008-2020,2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -28,10 +28,12 @@
#include
#include
#include
+#include
#include
#include "file.h"
#include "guestApp.h"
#include "hostinfo.h"
+#include "su.h"
#include "system.h"
#include "unicode.h"
#include "util.h"
@@ -155,6 +157,59 @@
/**
+ * Tools function to set close-on-exec flg for the fd.
+ *
+ * @param[in] fd open file descriptor.
+ *
+ * @return TRUE on success, FALSE otherwise.
+ */
+
+static gboolean
+ToolsSetCloexecFlag(int fd)
+{
+ int flags;
+
+ if (fd == -1) {
+ /* fd is not present, no need to manipulate */
+ return TRUE;
+ }
+
+ flags = fcntl(fd, F_GETFD, 0);
+ if (flags < 0) {
+ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
+ return FALSE;
+ }
+ flags |= FD_CLOEXEC;
+ if (fcntl(fd, F_SETFD, flags) < 0) {
+ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+
+/**
+ * Tools function to close the fds.
+ */
+
+static void
+ToolsCloseFds(void)
+{
+ if (gState.ctx.blockFD != -1) {
+ close(gState.ctx.blockFD);
+ }
+
+ /*
+ * uinputFD will be available only for wayland.
+ */
+ if (gState.ctx.uinputFD != -1) {
+ close(gState.ctx.uinputFD);
+ }
+}
+
+
+/**
* Tools daemon entry function.
*
* @param[in] argc Argument count.
@@ -210,6 +265,27 @@
g_free(argvCopy);
argvCopy = NULL;
+ /*
+ * Drops privilege to the real uid and gid of the process
+ * for the "vmusr" service.
+ */
+ if (TOOLS_IS_USER_SERVICE(&gState)) {
+ uid_t uid = getuid();
+ gid_t gid = getgid();
+
+ if ((Id_SetREUid(uid, uid) != 0) ||
+ (Id_SetREGid(gid, gid) != 0)) {
+ g_printerr("could not drop privileges: %s", strerror(errno));
+ ToolsCloseFds();
+ goto exit;
+ }
+ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
+ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
+ ToolsCloseFds();
+ goto exit;
+ }
+ }
+
if (gState.pidFile != NULL) {
/*
* If argv[0] is not an absolute path, make it so; all other path
diff -Nru open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am
--- open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
################################################################################
-### Copyright (c) 2009-2016,2022 VMware, Inc. All rights reserved.
+### Copyright (c) 2009-2016,2022,2023 VMware, Inc. All rights reserved.
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of version 2 of the GNU General Public License as
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h 2023-10-26 15:39:15.000000000 +0000
@@ -622,7 +622,6 @@
#define VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME "ValidateSamlBToken"
-
#define VGAUTH_VALIDATESAMLBEARERTOKEN_REQUEST_FORMAT \
VGAUTH_REQUEST_FORMAT_START \
"<"VGAUTH_REQUESTNAME_ELEMENT_NAME">"VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME""VGAUTH_REQUESTNAME_ELEMENT_NAME">" \
@@ -632,7 +631,6 @@
"<"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">%s"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">" \
VGAUTH_REQUEST_FORMAT_END
-
#define VGAUTH_VALIDATESAMLBEARERTOKEN_REPLY_FORMAT_START \
VGAUTH_REPLY_FORMAT_START \
"<"VGAUTH_USERNAME_ELEMENT_NAME">%s"VGAUTH_USERNAME_ELEMENT_NAME">" \
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (c) 2011-2016, 2018-2019, 2021-2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -914,3 +914,148 @@
return err;
}
+
+
+/*
+ * Finds a cert with a subject (if checkSubj is set) or issuer (if
+ * checkSUbj is unset), matching 'val' in the list
+ * of certs. Returns a match or NULL.
+ */
+
+static X509 *
+FindCert(GList *cList,
+ X509_NAME *val,
+ int checkSubj)
+{
+ GList *l;
+ X509 *c;
+ X509_NAME *v;
+
+ l = cList;
+ while (l != NULL) {
+ c = (X509 *) l->data;
+ if (checkSubj) {
+ v = X509_get_subject_name(c);
+ } else {
+ v = X509_get_issuer_name(c);
+ }
+ if (X509_NAME_cmp(val, v) == 0) {
+ return c;
+ }
+ l = l->next;
+ }
+ return NULL;
+}
+
+
+/*
+ ******************************************************************************
+ * CertVerify_CheckForUnrelatedCerts -- */ /**
+ *
+ * Looks over a list of certs. If it finds that they are not all
+ * part of the same chain, returns failure.
+ *
+ * @param[in] numCerts The number of certs in the chain.
+ * @param[in] pemCerts The chain of certificates to verify.
+ *
+ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
+ *
+ ******************************************************************************
+ */
+
+VGAuthError
+CertVerify_CheckForUnrelatedCerts(int numCerts,
+ const char **pemCerts)
+{
+ VGAuthError err = VGAUTH_E_FAIL;
+ int chainLen = 0;
+ int i;
+ X509 **certs = NULL;
+ GList *rawList = NULL;
+ X509 *baseCert;
+ X509 *curCert;
+ X509_NAME *subject;
+ X509_NAME *issuer;
+
+ /* common single cert case; nothing to do */
+ if (numCerts == 1) {
+ return VGAUTH_E_OK;
+ }
+
+ /* convert all PEM to X509 objects */
+ certs = g_malloc0(numCerts * sizeof(X509 *));
+ for (i = 0; i < numCerts; i++) {
+ certs[i] = CertStringToX509(pemCerts[i]);
+ if (NULL == certs[i]) {
+ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
+ goto done;
+ }
+ }
+
+ /* choose the cert to start the chain. shouldn't matter which */
+ baseCert = certs[0];
+
+ /* put the rest into a list */
+ for (i = 1; i < numCerts; i++) {
+ rawList = g_list_append(rawList, certs[i]);
+ }
+
+ /* now chase down to a leaf, looking for certs the baseCert issued */
+ subject = X509_get_subject_name(baseCert);
+ while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
+ /* pull it from the list */
+ rawList = g_list_remove(rawList, curCert);
+ /* set up the next find */
+ subject = X509_get_subject_name(curCert);
+ }
+
+ /*
+ * walk up to the root cert, by finding a cert where the
+ * issuer equals the subject of the current
+ */
+ issuer = X509_get_issuer_name(baseCert);
+ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
+ /* pull it from the list */
+ rawList = g_list_remove(rawList, curCert);
+ /* set up the next find */
+ issuer = X509_get_issuer_name(curCert);
+ }
+
+ /*
+ * At this point, anything on the list should be certs that are not part
+ * of the chain that includes the original 'baseCert'.
+ *
+ * For a valid token, the list should be empty.
+ */
+ chainLen = g_list_length(rawList);
+ if (chainLen != 0 ) {
+ GList *l;
+
+ g_warning("%s: %d unrelated certs found in list\n",
+ __FUNCTION__, chainLen);
+
+ /* debug helper */
+ l = rawList;
+ while (l != NULL) {
+ X509* c = (X509 *) l->data;
+ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
+
+ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
+ free(s);
+ l = l->next;
+ }
+
+ goto done;
+ }
+
+ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__);
+ err = VGAUTH_E_OK;
+
+done:
+ g_list_free(rawList);
+ for (i = 0; i < numCerts; i++) {
+ X509_free(certs[i]);
+ }
+ g_free(certs);
+ return err;
+}
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2011-2016, 2020 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -67,6 +67,10 @@
size_t signatureLen,
const unsigned char *signature);
+
+VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
+ const char **pemCerts);
+
gchar * CertVerify_StripPEMCert(const gchar *pemCert);
gchar * CertVerify_CertToX509String(const gchar *pemCert);
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2011-2019 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -136,6 +136,8 @@
#define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir"
/** The number of seconds slack allowed in either direction in SAML token date checks. */
#define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment"
+/** If unrelated certificates are allowed in a SAML token */
+#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts"
/** Ticket group name. */
#define VGAUTH_PREF_GROUP_NAME_TICKET "ticket"
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-10-26 15:39:15.000000000 +0000
@@ -198,7 +198,7 @@
#define VGAUTH_PARAM_VALIDATE_INFO_ONLY "validateInfoOnly"
-# define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified"
+#define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified"
VGAuthError VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx,
const char *samlToken,
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
--- open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-10-26 15:39:15.000000000 +0000
@@ -49,6 +49,7 @@
#include "vmxlog.h"
static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
+static gboolean gAllowUnrelatedCerts = FALSE;
static xmlSchemaPtr gParsedSchemas = NULL;
static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
@@ -369,6 +370,10 @@
VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
Log("%s: Allowing %d of clock skew for SAML date validation\n",
__FUNCTION__, gClockSkewAdjustment);
+ gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
+ VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
+ VGAUTH_PREF_GROUP_NAME_SERVICE,
+ FALSE);
}
@@ -1697,6 +1702,15 @@
return VGAUTH_E_AUTHENTICATION_DENIED;
}
+ if (!gAllowUnrelatedCerts) {
+ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
+ if (err != VGAUTH_E_OK) {
+ VMXLog_Log(VMXLOG_LEVEL_WARNING,
+ "Unrelated certs found in SAML token, failing\n");
+ return VGAUTH_E_AUTHENTICATION_DENIED;
+ }
+ }
+
subj.type = SUBJECT_TYPE_NAMED;
subj.name = *subjNameOut;
err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
diff -Nru open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c
--- open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-08-31 14:38:59.000000000 +0000
+++ open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-10-26 15:39:15.000000000 +0000
@@ -1,5 +1,5 @@
/*********************************************************
- * Copyright (C) 2007-2018 VMware, Inc. All rights reserved.
+ * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
@@ -156,8 +156,7 @@
*
* Obtains the library directory from the Tools locations database, then
* opens a file descriptor (while still root) to add and remove blocks,
- * drops privilege to the real uid of this process, and finally starts
- * vmware-user.
+ * and finally starts vmware-user.
*
* Results:
* Parent: TRUE on success, FALSE on failure.
@@ -173,8 +172,6 @@
StartVMwareUser(char *const envp[])
{
pid_t pid;
- uid_t uid;
- gid_t gid;
int blockFd = -1;
char blockFdStr[8];
int uinputFd = -1;
@@ -191,8 +188,8 @@
}
/*
- * Now create a child process, obtain a file descriptor as root, downgrade
- * privilege, and run vmware-user.
+ * Now create a child process, obtain a file descriptor as root and
+ * run vmware-user.
*/
pid = fork();
if (pid == -1) {
@@ -229,23 +226,6 @@
}
}
- uid = getuid();
- gid = getgid();
-
- if ((setreuid(uid, uid) != 0) ||
- (setregid(gid, gid) != 0)) {
- Error("could not drop privileges: %s\n", strerror(errno));
- if (blockFd != -1) {
- close(blockFd);
- }
- if (useWayland) {
- if (uinputFd != -1) {
- close(uinputFd);
- }
- }
- return FALSE;
- }
-
/*
* Since vmware-user provides features that don't depend on vmblock, we
* invoke vmware-user even if we couldn't obtain a file descriptor or we