diff -Nru open-vm-tools-11.3.5/debian/changelog open-vm-tools-11.3.5/debian/changelog --- open-vm-tools-11.3.5/debian/changelog 2022-02-16 17:15:58.000000000 +0000 +++ open-vm-tools-11.3.5/debian/changelog 2022-08-16 13:21:12.000000000 +0000 @@ -1,3 +1,12 @@ +open-vm-tools (2:11.3.5-1ubuntu4.1) jammy-security; urgency=medium + + * SECURITY UPDATE: local privilege escalation + - debian/patches/CVE-2022-31676.patch: check authorization on incoming + guestOps requests in open-vm-tools/vgauth/serviceImpl/proto.c. + - CVE-2022-31676 + + -- Marc Deslauriers Tue, 16 Aug 2022 09:21:12 -0400 + open-vm-tools (2:11.3.5-1ubuntu4) jammy; urgency=medium * No-change rebuild to update maintainer scripts, see LP: 1959054 diff -Nru open-vm-tools-11.3.5/debian/patches/CVE-2022-31676.patch open-vm-tools-11.3.5/debian/patches/CVE-2022-31676.patch --- open-vm-tools-11.3.5/debian/patches/CVE-2022-31676.patch 1970-01-01 00:00:00.000000000 +0000 +++ open-vm-tools-11.3.5/debian/patches/CVE-2022-31676.patch 2022-08-16 13:20:33.000000000 +0000 @@ -0,0 +1,36 @@ +From be635a7eaf7bd19177b7002aa2c793c78be77ecc Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Wed, 10 Aug 2022 07:20:28 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c +index db7159e..c4f85b0 100644 +--- a/open-vm-tools/vgauth/serviceImpl/proto.c ++++ b/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019-2021 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1201,6 +1201,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn, + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. +-- +2.6.2 + diff -Nru open-vm-tools-11.3.5/debian/patches/series open-vm-tools-11.3.5/debian/patches/series --- open-vm-tools-11.3.5/debian/patches/series 2022-02-01 15:29:32.000000000 +0000 +++ open-vm-tools-11.3.5/debian/patches/series 2022-08-16 13:21:04.000000000 +0000 @@ -2,3 +2,4 @@ debian/scsi-udev-rule Update-open-vm-tools-to-build-with-either-Fuse-3-or-2.patch libc-2.35-compat-FTBFS-fix.patch +CVE-2022-31676.patch