Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package open-vm-tools for openSUSE:Factory checked in at 2023-11-01 22:09:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/open-vm-tools (Old) and /work/SRC/openSUSE:Factory/.open-vm-tools.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "open-vm-tools" Wed Nov 1 22:09:27 2023 rev:120 rq:1121337 version:12.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/open-vm-tools/open-vm-tools.changes 2023-10-29 19:39:46.662961457 +0100 +++ /work/SRC/openSUSE:Factory/.open-vm-tools.new.17445/open-vm-tools.changes 2023-11-01 22:09:31.710663715 +0100 @@ -2 +2 @@ -Fri Oct 27 14:42:23 UTC 2023 - Kirk Allan <kal...@suse.com> +Mon Oct 30 17:16:18 UTC 2023 - Kirk Allan <kal...@suse.com> @@ -4,5 +4,26 @@ -- Fix (bsc#1216432) - VUL-0: CVE-2023-34058: open-vm-tools: SAML token - signature bypass vulnerability. -- Fix (bsc#1216433) - VUL-0: : CVE-2023-34059: open-vm-tools: file - descriptor hijack vulnerability -+ Add patch: +- Update to 12.3.5 (build 22544099) (boo#1216670) + - There are no new features in the open-vm-tools 12.3.5 release. This is + primarily a maintenance release that addresses a few critical problems, + including: + - This release resolves CVE-2023-34058. For more information on this + vulnerability and its impact on VMware products, see + https://www.vmware.com/security/advisories/VMSA-2023-0024.html. + - This release resolves CVE-2023-34059 which only affects open-vm-tools. + For more information on this vulnerability, please see the Resolved + Issues section of the Release Notes. + - A GitHub issue has been handled. Please see the Resolved Issues section + of the Release Notes. + - An update to the deployPkg plugin to coordinate with recent releases + of cloud-init for improvement for guest VM customization. + - For issues resolved in this release, see the Resolved Issues + <https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/ReleaseNotes.md#resolved-issues> + section of the Release Notes. + - For complete details, see: + https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.5 + - Release Notes are available at + https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/ReleaseNotes.md + - The granular changes that have gone into the 12.3.5 release are in the + ChangeLog at + https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog + +- Drop patch now contained in 12.3.5: @@ -16,0 +38,11 @@ + +------------------------------------------------------------------- +Fri Oct 20 17:16:21 UTC 2023 - Kirk Allan <kal...@suse.com> + +- Fix (bsc#1216432) - VUL-0: CVE-2023-34058: open-vm-tools: SAML token + signature bypass vulnerability. +- Fix (bsc#1216433) - VUL-0: : CVE-2023-34059: open-vm-tools: file + descriptor hijack vulnerability ++ Add patch: + - CVE-2023-34058.patch + - CVE-2023-34059.patch Old: ---- CVE-2023-34058.patch CVE-2023-34059.patch open-vm-tools-12.3.0.tar.xz New: ---- open-vm-tools-12.3.5.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ open-vm-tools.spec ++++++ --- /var/tmp/diff_new_pack.AgxRgY/_old 2023-11-01 22:09:33.322722884 +0100 +++ /var/tmp/diff_new_pack.AgxRgY/_new 2023-11-01 22:09:33.330723178 +0100 @@ -38,7 +38,7 @@ %define with_X 1 Name: open-vm-tools -Version: 12.3.0 +Version: 12.3.5 Release: 0 Summary: Open Virtual Machine Tools License: BSD-3-Clause AND GPL-2.0-only AND LGPL-2.1-only @@ -156,8 +156,6 @@ Supplements: modalias(pci:v000015ADd*sv*sd*bc*sc*i*) ExclusiveArch: %ix86 x86_64 aarch64 #Upstream patches -Patch2: CVE-2023-34058.patch -Patch3: CVE-2023-34059.patch #SUSE specific patches Patch0: pam-vmtoolsd.patch @@ -260,8 +258,6 @@ # fix for an rpmlint warning regarding wrong line feeds sed -i -e "s/\r//" README #Upstream patches -%patch2 -p2 -%patch3 -p2 #SUSE specific patches %patch0 -p2 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.AgxRgY/_old 2023-11-01 22:09:33.538730813 +0100 +++ /var/tmp/diff_new_pack.AgxRgY/_new 2023-11-01 22:09:33.578732281 +0100 @@ -2,9 +2,9 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/vmware/open-vm-tools.git</param> - <param name="revision">stable-12.3.0</param> + <param name="revision">stable-12.3.5</param> <param name="filename">open-vm-tools</param> - <param name="versionformat">12.3.0</param> + <param name="versionformat">12.3.5</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param> ++++++ open-vm-tools-12.3.0.tar.xz -> open-vm-tools-12.3.5.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/ReleaseNotes.md new/open-vm-tools-12.3.5/ReleaseNotes.md --- old/open-vm-tools-12.3.0/ReleaseNotes.md 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/ReleaseNotes.md 2023-10-26 17:39:15.000000000 +0200 @@ -1,8 +1,8 @@ -# open-vm-tools 12.3.0 Release Notes +# open-vm-tools 12.3.5 Release Notes -Updated on: 31 August 2023 +Updated on: 26 October 2023 -open-vm-tools | 31 AUGUST 2023 | Build 22234872 +open-vm-tools | 26 OCTOBER 2023 | Build 22544099 Check back for additions and updates to these release notes. @@ -10,7 +10,7 @@ The release notes cover the following topics: -- [open-vm-tools 12.3.0 Release Notes](#open-vm-tools-1230-release-notes) +- [open-vm-tools 12.3.5 Release Notes](#open-vm-tools-1235-release-notes) - [What's in the Release Notes](#whats-in-the-release-notes) - [What's New](#whats-new) - [End of Feature Support Notice](#end-of-feature-support-notice) @@ -22,13 +22,15 @@ ## <a id="whatsnew" name="whatsnew"></a>What's New -This release resolves CVE-2023-20900. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. +* This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. + +* This release resolves CVE-2023-34059 which only affects open-vm-tools. * Please see the [Resolved Issues](#resolvedissues) and [Known Issues](#knownissues) sections below. -* A complete list of the granular changes in the open-vm-tools 12.3.0 release is available at: +* A complete list of the granular changes in the open-vm-tools 12.3.5 release is available at: - [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog) + [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog) ## <a id="endsupport" name="endsupport"></a>End of Feature Support Notice @@ -38,7 +40,7 @@ ## <a id="i18n" name="i18n"></a>Internationalization -open-vm-tools 12.3.0 is available in the following languages: +open-vm-tools 12.3.5 is available in the following languages: * English * French @@ -60,66 +62,32 @@ ## <a id="resolvedissues" name ="resolvedissues"></a> Resolved Issues -* **This release resolves CVE-2023-20900.** - - For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - -* **Linux quiesced snapshot: "SyncDriver: failed to freeze '_filesystem_'"** - - The open-vm-tools 12.2.0 release had an update to the Linux quiesced snapshot operation that would avoid starting a quiesced snapshot if a filesystem had already been frozen by another process. See the [Resolved Issues](https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md#-resolved-issues) section in the open-vm-tools 12.2.0 Release Notes. That fix may have been backported into earlier versions of open-vm-tools by Linux vendors. - - It is possible that filesystems are being frozen in custom pre-freeze scripts to control the order in which those specific filesystems are to be frozen. The vmtoolsd process **must be informed** of all such filesystems with the help of "excludedFileSystems" setting of tools.conf. - - ``` - [vmbackup] - - excludedFileSystems=/opt/data,/opt/app/project-*,... - ``` - - A temporary workaround is available (starting from open-vm-tools 12.3.0) for system administrators to quickly allow a quiescing operation to succeed until the "excludedFileSystems" list can be configured. Note, if another process thaws the file system while a quiescing snapshot operation is ongoing, the snapshot may be compromised. Once the "excludedFileSystems" list is configured this setting MUST be unset (or set to false). - - ``` - [vmbackup] - - ignoreFrozenFileSystems = true - ``` - - This workaround is provided in the source file changes in - - https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2 - - and at Linux vendors' discretion, may be backported to earlier versions of open-vm-tools. - -* **A number of Coverity reported issues have been addressed.** +* **This release resolves CVE-2023-34058.** -* **Component Manager / salt-minion: New InstallStatus "UNMANAGED".** + For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. - Salt-minion added support for "ExternalInstall" (106) to indicate an older version of salt-minion is installed on the vm and cannot be managed by the svtminion.* scripts. The Component Manager will track that as "UNMANAGED" and take no action. + open-vm-tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -* **The following pull requests and issues have been addressed** + A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. - * Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES + Note: While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that must be addressed. - [Issue #638](https://github.com/vmware/open-vm-tools/issues/638) - [Pull request #639](https://github.com/vmware/open-vm-tools/pull/639) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34058.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch). - * Invalid argument with "\\" in Linux username (Active Directory user) +* **This release resolves CVE-2023-34059.** - [Issue #641](https://github.com/vmware/open-vm-tools/issues/641) + open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - * Improve POSIX guest identification + A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. - [Issue #647](https://github.com/vmware/open-vm-tools/issues/647) - [Issue #648](https://github.com/vmware/open-vm-tools/issues/648) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34059.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch). - * Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib" +* **The following github.com/vmware/open-vm-tools issue have been addressed** - [Issue #658](https://github.com/vmware/open-vm-tools/issues/658) + * Better cooperation between deployPkg plugin and cloud-init concerning location of 'disable_vmware_customization' flag. - * Fix build problems with grpc + [Issue #310](https://github.com/vmware/open-vm-tools/issues/310) - [Pull request #664](https://github.com/vmware/open-vm-tools/pull/664) - [Issue #676](https://github.com/vmware/open-vm-tools/issues/676) ## <a id="knownissues" name="knownissues"></a>Known Issues diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/ChangeLog new/open-vm-tools-12.3.5/open-vm-tools/ChangeLog --- old/open-vm-tools-12.3.0/open-vm-tools/ChangeLog 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/ChangeLog 2023-10-26 17:39:15.000000000 +0200 @@ -1,3 +1,119 @@ +commit 6acd1f6742a8fc0dea9cabf7ba15416a2daf5075 +Author: Katy Feng <fk...@vmware.com> +Date: Thu Oct 26 08:35:59 2023 -0700 + + Update the ReleaseNotes.md for the 12.3.5 open-vm-tools release. + +commit d5a0ca16b64730507735281012bc3a4660c5b46c +Author: Katy Feng <fk...@vmware.com> +Date: Wed Oct 25 11:13:15 2023 -0700 + + Prepare for the open-vm-tools 12.3.5 release. + - Update the tools version in the configure.ac. + - Update the build numbers in the buldNumber.h. + +commit ca8bde40e2bb2e03b5f3a38530f6be0d4b19de34 +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:31:51 2023 -0700 + + Update the ChangeLog file with the changes in the 12.3.5 open-vm-tools release. + - plus the 12.3.0 open-vm-tools release point in the ChangeLog. + +commit 1bfe23d728b74e08f4f65cd9b0093ca73937003a +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + Don't accept tokens with unrelated certs + + If a SAML token has a cert that's not a part of a chain, + fail the token as invalid. + +commit 63f7c79c4aecb14d37cc4ce9da509419e31d394f +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx + on Linux + + Moving the privilege drop logic (dropping privilege to the real uid and + gid of the process for the vmusr service) from suidWrapper to vmtoolsd code. + Now the vmtoolsd is not executed with dropped privileges (started as setuid + program) and the dumpable attribute of the process is not reset. + The unprivileged user will not have access to the privileged file descriptors + in the vmtoolsd vmusr process. + Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing + the file descriptors being inherited any further from the vmtoolsd. + +commit 3b5308bb4bdf3eeebd49808eb0efa015aa183772 +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + Suppress optional arg to backup scripts when empty string. + Backup scripts can be called with an optional argument. Don't pass the + optional arg to the script if it's an empty string. + +commit 395cb80dc14e86f07e22541ae5ff205ad695056e +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + Checking flag 'disable_vmware_customization' in more cloud-init config files + + Currently, deployPkg plugin checks the existence of flag + 'disable_vmware_customization: false' in the /etc/cloud/cloud.cfg file + to determine if VMware customization is enabled or not on cloud-init + side when cloud-init is available in guest. + Both cloud-init team and customers suggested that it's better practice to + put local configuration like this flag into some .cfg files under + /etc/cloud/cloud.cfg.d directory, ex: /etc/cloud/cloud.cfg.d/somefile.cfg + + This change implements the following adjustments to make sure we handle + this flag the same way as cloud-init does in ds-identify and Datasource: + 1. Instead of regex matching flag 'disable_vmware_customization: false', + we will check the value of flag 'disable_vmware_customization': + If the value is 'false', it means VMware customization is enabled. + If the value is 'true', it means VMware customization is disabled. + If the flag is not set, by default VMware customization is disabled + on cloud-init side. + 2. Besides cloud-init /etc/cloud/cloud.cfg file, we will check all .cfg + files under /etc/cloud/cloud.cfg.d directory. + 3. The value of flag 'disable_vmware_customization' in .cfg files under + /etc/cloud/cloud.cfg.d directory will overwrite the one in + /etc/cloud/cloud.cfg file. + 4. The value of flag 'disable_vmware_customization' in a .cfg file listed + further down the alphabetical order under /etc/cloud/cloud.cfg.d directory + will overwrite the value in a .cfg file listed earier. + 5. If a cloud-init config file contains more than one instance of this + flag, the value of the later flag will overwrite the former one's. + + Github Issue: https://github.com/vmware/open-vm-tools/issues/310 + +commit d9ffb3275ada811caa8478d481cd9003766baa1c +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + Add missed 2023 copyright change. + +commit ba8219ee4bab927d7142e8392b20e183c589786e +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:48 2023 -0700 + + Enabling the open-vm-tools VGAuth Host Verification feature. + + The Host Verified SAML token work is complete. Adding the new code to the + open-vm-tools source. + +commit 650ce059114e09cbac3594b9e1be4069febe4311 +Author: Katy Feng <fk...@vmware.com> +Date: Tue Oct 17 15:24:47 2023 -0700 + + Setting the VMware Tools version to 12.3.5. + +commit 865e76adf86fb38380220a3b760aa92ba5407c60 +Author: Katy Feng <fk...@vmware.com> +Date: Thu Aug 31 07:38:59 2023 -0700 + + Update of the ChangeLog with the "open-vm-tools 12.3.0" release point marker. + commit 4fe4b1be1d7139aa571a6431f26904e6f0b77883 Author: Katy Feng <fk...@vmware.com> Date: Thu Aug 31 07:32:27 2023 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/configure.ac new/open-vm-tools-12.3.5/open-vm-tools/configure.ac --- old/open-vm-tools-12.3.0/open-vm-tools/configure.ac 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/configure.ac 2023-10-26 17:39:15.000000000 +0200 @@ -35,10 +35,10 @@ ### Initialization ### -TOOLS_VERSION="12.3.0" +TOOLS_VERSION="12.3.5" AC_INIT( [open-vm-tools], - [12.3.0], + [12.3.5], [open-vm-tools-de...@lists.sourceforge.net]) # In order to make this configure script auto-detect situations where @@ -1944,12 +1944,6 @@ -AM_CONDITIONAL([VMTOOLS_FS_VGAUTH_HOST_VERIFICATION],[true]) -if test "$enable_vgauth" = "yes"; then - echo "Enabling vgauth host verification" - CPPFLAGS="$CPPFLAGS -DVMTOOLS_FS_VGAUTH_HOST_VERIFICATION" -fi - ### ### Output diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h new/open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h --- old/open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,12 +1,12 @@ #define BUILD_NUMBER \ - "build-22234872" + "build-22544099" #define BUILD_NUMBER_NUMERIC \ - 22234872 + 22544099 #define BUILD_NUMBER_NUMERIC_STRING \ - "22234872" + "22544099" #define PRODUCT_BUILD_NUMBER \ - "product-build-44994" + "product-build-46049" #define PRODUCT_BUILD_NUMBER_NUMERIC \ - 44994 + 46049 #define PRODUCT_BUILD_NUMBER_NUMERIC_STRING \ - "44994" + "46049" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h new/open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h --- old/open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2006-2016 VMware, Inc. All rights reserved. + * Copyright (C) 2006-2016,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h new/open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h --- old/open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h 2023-10-26 17:39:15.000000000 +0200 @@ -1751,15 +1751,22 @@ #define TOOLS_VERSION_BANDSAW_UPDATE1_V_BASE 5 #ifndef RC_INVOKED -#define TOOLS_VERSION_NEXT TOOLS_VERSION_TO_UINT(TOOLS_VERSION_NEXT_V) +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V) #endif /* RC_INVOKED */ -#define TOOLS_VERSION_NEXT_V_MJR 12 -#define TOOLS_VERSION_NEXT_V_MNR 3 -#define TOOLS_VERSION_NEXT_V_BASE 0 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MJR 12 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MNR 3 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_BASE 0 -#define TOOLS_VERSION_CURRENT TOOLS_VERSION_NEXT -#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_NEXT) -#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_NEXT) +#ifndef RC_INVOKED +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1 TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V) +#endif /* RC_INVOKED */ +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MJR 12 +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MNR 3 +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_BASE 5 + +#define TOOLS_VERSION_CURRENT TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1 +#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1) +#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1) /* * The extended Tools version is the current Tools version with the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c --- old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2006-2022 VMware, Inc. All rights reserved. + * Copyright (c) 2006-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -1236,7 +1236,6 @@ { static const char cfgName[] = "cust.cfg"; static const char metadataName[] = "metadata"; - static const char cloudInitConfigFilePath[] = "/etc/cloud/cloud.cfg"; static const char cloudInitCommand[] = "/usr/bin/cloud-init -v"; char cloudInitCommandOutput[MAX_LENGTH_CLOUDINIT_VERSION]; int forkExecResult; @@ -1288,7 +1287,7 @@ return USE_CLOUDINIT_OK; } } else { - if (IsCloudInitEnabled(cloudInitConfigFilePath)) { + if (IsCloudInitCustomizationEnabled()) { return USE_CLOUDINIT_OK; } else { return USE_CLOUDINIT_DISABLED; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c --- old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2016-2019 VMware, Inc. All rights reserved. + * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -18,70 +18,99 @@ #include <dirent.h> #include <errno.h> +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <regex.h> #include "linuxDeploymentUtilities.h" +#include "str.h" extern LogFunction sLog; +// The status code of flag 'disable_vmware_customization' +typedef enum DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE { + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET = 0, + DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE, + DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE, +} DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE; + +// Private functions +static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE +GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath); +static int +FilterCfgExt(const struct dirent *dir); + /** *---------------------------------------------------------------------------- * - * IsCloudInitEnabled + * IsCloudInitCustomizationEnabled * - * Function to determine if cloud-init is enabled. + * Function to determine if cloud-init customization workflow is enabled. * Essentially it does - * - read a cloud-init config file - * - Find if a particular flag is enabled or disabled. + * - Read all cloud-init configuration files under /etc/cloud/cloud.cfg.d/ + * - Read the cloud-init configuration file /etc/cloud/cloud.cfg + * - Find if a particular flag is enabled or disabled + * - Particularly, the value of flag in files under /etc/cloud/cloud.cfg.d/ + * has higher priority than the one in file /etc/cloud/cloud.cfg, and the + * value of flag in file listed behind in alphabetical sort under + * /etc/cloud/cloud.cfg.d/ has higher priority than the one in file listed + * in front * - * @param [IN] cloudFilePath path of the cloud-init config file - * @returns TRUE if disable_vmware_customization is false and FALSE otherwise. + * @returns TRUE if value of the flag 'disable_vmware_customization' is false + * FALSE otherwise * *---------------------------------------------------------------------------- **/ bool -IsCloudInitEnabled(const char *cloudFilePath) +IsCloudInitCustomizationEnabled() { - bool isEnabled = false; - FILE *cloudFile; - char line[256]; - regex_t regex; - const char *cloudInitRegex = - "^\\s*disable_vmware_customization\\s*:\\s*false\\s*$"; - int reti; - - sLog(log_info, "Checking if cloud.cfg exists and if cloud-init is enabled."); - cloudFile = fopen(cloudFilePath, "r"); - if (cloudFile == NULL) { - sLog(log_info, "Could not open file: %s", strerror(errno)); - return isEnabled; - } - - reti = regcomp(®ex, cloudInitRegex, 0); - if (reti != 0) { - char buf[256]; - regerror(reti, ®ex, buf, sizeof(buf)); - sLog(log_error, "Error compiling regex for cloud-init flag: %s", buf); - goto done; - } - - while (fgets(line, sizeof(line), cloudFile) != NULL) { - if (regexec(®ex, line, 0, NULL, 0) == 0) { - isEnabled = true; - break; + DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus = + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + static const char cloudInitBaseConfigFilePath[] = "/etc/cloud/cloud.cfg"; + static const char cloudInitConfigDirPath[] = "/etc/cloud/cloud.cfg.d/"; + struct dirent **fileList; + int i, fileCount; + size_t filePathLength; + char *filePath = NULL; + + sLog(log_info, "Checking if cloud-init customization is enabled."); + fileCount = + scandir(cloudInitConfigDirPath, &fileList, FilterCfgExt, alphasort); + if (fileCount < 0) { + sLog(log_warning, "Could not scan directory %s, error: %s.", + cloudInitConfigDirPath, strerror(errno)); + } else { + for (i = fileCount - 1; i >= 0; i--) { + filePathLength = Str_Strlen(cloudInitConfigDirPath, PATH_MAX) + + Str_Strlen(fileList[i]->d_name, FILENAME_MAX) + 1; + filePath = malloc(filePathLength); + if (filePath == NULL) { + sLog(log_warning, "Error allocating memory to copy '%s'.", + cloudInitConfigDirPath); + break; + } + Str_Strcpy(filePath, cloudInitConfigDirPath, filePathLength); + Str_Strcat(filePath, fileList[i]->d_name, filePathLength); + flagStatus = GetDisableVMwareCustomizationFlagStatus(filePath); + free(filePath); + filePath = NULL; + if (flagStatus != DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) { + break; + } + } + for (i = 0; i < fileCount; i++) { + free(fileList[i]); } } - if (ferror(cloudFile) != 0) { - sLog(log_warning, "Error reading file: %s", strerror(errno)); - isEnabled = false; + free(fileList); + + if (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) { + flagStatus = + GetDisableVMwareCustomizationFlagStatus(cloudInitBaseConfigFilePath); } - regfree(®ex); -done: - fclose(cloudFile); - return isEnabled; + return (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE); } /** @@ -113,7 +142,7 @@ sLog(log_info, "Check if custom script(pre/post customization) exists."); tempDir = opendir(dirPath); if (tempDir == NULL) { - sLog(log_warning, "Could not open directory %s: error: %s", dirPath, + sLog(log_warning, "Could not open directory %s: error: %s.", dirPath, strerror(errno)); return scriptName; } @@ -123,7 +152,7 @@ char buf[256]; regerror(regRet, &scriptRegex, buf, sizeof(buf)); - sLog(log_error, "Error compiling regex for custom script: %s", buf); + sLog(log_error, "Error compiling regex for custom script: %s.", buf); goto done; } @@ -131,7 +160,7 @@ if (regexec(&scriptRegex, dir->d_name, 0, NULL, 0) == 0) { scriptName = strdup(dir->d_name); if (scriptName == NULL) { - sLog(log_warning, "Could not allocate memory for scriptName: %s", + sLog(log_warning, "Could not allocate memory for scriptName: %s.", strerror(errno)); break; } @@ -145,3 +174,106 @@ return scriptName; } +/** + *---------------------------------------------------------------------------- + * + * GetDisableVMwareCustomizationFlagStatus + * + * Function to get status code of the flag 'disable_vmware_customization' from + * a cloud-init config file. + * Essentially it does + * - Read a cloud-init config file + * - Get status code of the flag according to its value + * + * @param [IN] cloudInitConfigFilePath path of a cloud-int config file + * @returns The status code of this particular flag + * + *---------------------------------------------------------------------------- + **/ +static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE +GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath) +{ + DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus = + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + FILE *cloudInitConfigFile; + char line[256]; + regex_t regex; + size_t maxGroups = 2, flagValueLength = 0; + regmatch_t groupArray[maxGroups]; + const char *flagPattern = + "^\\s*disable_vmware_customization\\s*:\\s*(true|false)\\s*$"; + int reti; + + cloudInitConfigFile = fopen(cloudInitConfigFilePath, "r"); + if (cloudInitConfigFile == NULL) { + sLog(log_warning, "Could not open file: %s.", strerror(errno)); + return flagStatus; + } + + reti = regcomp(®ex, flagPattern, REG_EXTENDED); + if (reti != 0) { + char buf[256]; + regerror(reti, ®ex, buf, sizeof(buf)); + sLog(log_error, "Error compiling regex for cloud-init flag: %s.", buf); + goto done; + } + + while (fgets(line, sizeof(line), cloudInitConfigFile) != NULL) { + if (regexec(®ex, line, maxGroups, groupArray, 0) == 0) { + flagValueLength = groupArray[1].rm_eo - groupArray[1].rm_so; + if (flagValueLength > 0) { + char flagValue[flagValueLength + 1]; + Str_Strncpy(flagValue, flagValueLength + 1, + line + groupArray[1].rm_so, flagValueLength); + sLog(log_info, + "Flag 'disable_vmware_customization' set in %s with value: %s.", + cloudInitConfigFilePath, flagValue); + if (Str_Strequal(flagValue, "false")) { + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE; + } else if (Str_Strequal(flagValue, "true")) { + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE; + } + } + } + } + if (ferror(cloudInitConfigFile) != 0) { + sLog(log_warning, "Error reading file: %s.", strerror(errno)); + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + } + regfree(®ex); + +done: + fclose(cloudInitConfigFile); + return flagStatus; +} + +/** + *----------------------------------------------------------------------------- + * + * FilterCfgExt + * + * Filter files with .cfg extension when calling scandir. + * + * @param [IN] dir struct dirent of a directory entry + * @returns 1 if dir is a regular file and its file extension is .cfg + * 0 otherwise + * + * ---------------------------------------------------------------------------- + **/ +static int +FilterCfgExt(const struct dirent *dir) +{ + if (!dir) + return 0; + + if (dir->d_type == DT_REG) { + const char *ext = Str_Strrchr(dir->d_name, '.'); + if ((!ext) || (ext == dir->d_name)) { + return 0; + } else if (Str_Strequal(ext, ".cfg")) { + return 1; + } + } + + return 0; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h --- old/open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2016-2019 VMware, Inc. All rights reserved. + * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -24,7 +24,7 @@ #include "imgcust-common/imgcust-api.h" IMGCUST_API bool -IsCloudInitEnabled(const char* configFile); +IsCloudInitCustomizationEnabled(); IMGCUST_API char * GetCustomScript(const char* dirPath); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h --- old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2020-2021 VMware, Inc. All rights reserved. + * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c --- old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2020-2021 VMware, Inc. All rights reserved. + * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h --- old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-10-26 17:39:15.000000000 +0200 @@ -204,9 +204,7 @@ const char *token, const char *username, char *serviceUsername, -#ifdef VMTOOLS_FS_VGAUTH_HOST_VERIFICATION Bool hostVerified, -#endif void **userToken, VGAuthUserHandle **curUserHandle); #endif // _WIN32 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c --- old/open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved. + * Copyright (c) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -157,7 +157,7 @@ if (File_IsFile(scripts[index].path)) { char *cmd; - if (op->state->scriptArg != NULL) { + if (op->state->scriptArg != NULL && op->state->scriptArg[0] != '\0') { cmd = Str_Asprintf(NULL, "\"%s\" %s \"%s\"", scripts[index].path, scriptOp, op->state->scriptArg); } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c new/open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c --- old/open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2008-2020,2022 VMware, Inc. All rights reserved. + * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -28,10 +28,12 @@ #include <signal.h> #include <string.h> #include <unistd.h> +#include <fcntl.h> #include <glib/gstdio.h> #include "file.h" #include "guestApp.h" #include "hostinfo.h" +#include "su.h" #include "system.h" #include "unicode.h" #include "util.h" @@ -155,6 +157,59 @@ /** + * Tools function to set close-on-exec flg for the fd. + * + * @param[in] fd open file descriptor. + * + * @return TRUE on success, FALSE otherwise. + */ + +static gboolean +ToolsSetCloexecFlag(int fd) +{ + int flags; + + if (fd == -1) { + /* fd is not present, no need to manipulate */ + return TRUE; + } + + flags = fcntl(fd, F_GETFD, 0); + if (flags < 0) { + g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno); + return FALSE; + } + flags |= FD_CLOEXEC; + if (fcntl(fd, F_SETFD, flags) < 0) { + g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno); + return FALSE; + } + + return TRUE; +} + + +/** + * Tools function to close the fds. + */ + +static void +ToolsCloseFds(void) +{ + if (gState.ctx.blockFD != -1) { + close(gState.ctx.blockFD); + } + + /* + * uinputFD will be available only for wayland. + */ + if (gState.ctx.uinputFD != -1) { + close(gState.ctx.uinputFD); + } +} + + +/** * Tools daemon entry function. * * @param[in] argc Argument count. @@ -210,6 +265,27 @@ g_free(argvCopy); argvCopy = NULL; + /* + * Drops privilege to the real uid and gid of the process + * for the "vmusr" service. + */ + if (TOOLS_IS_USER_SERVICE(&gState)) { + uid_t uid = getuid(); + gid_t gid = getgid(); + + if ((Id_SetREUid(uid, uid) != 0) || + (Id_SetREGid(gid, gid) != 0)) { + g_printerr("could not drop privileges: %s", strerror(errno)); + ToolsCloseFds(); + goto exit; + } + if (!ToolsSetCloexecFlag(gState.ctx.blockFD) || + !ToolsSetCloexecFlag(gState.ctx.uinputFD)) { + ToolsCloseFds(); + goto exit; + } + } + if (gState.pidFile != NULL) { /* * If argv[0] is not an absolute path, make it so; all other path diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am new/open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am --- old/open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ ################################################################################ -### Copyright (c) 2009-2016,2022 VMware, Inc. All rights reserved. +### Copyright (c) 2009-2016,2022,2023 VMware, Inc. All rights reserved. ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of version 2 of the GNU General Public License as diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h 2023-10-26 17:39:15.000000000 +0200 @@ -622,7 +622,6 @@ #define VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME "ValidateSamlBToken" - #define VGAUTH_VALIDATESAMLBEARERTOKEN_REQUEST_FORMAT \ VGAUTH_REQUEST_FORMAT_START \ "<"VGAUTH_REQUESTNAME_ELEMENT_NAME">"VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME"</"VGAUTH_REQUESTNAME_ELEMENT_NAME">" \ @@ -632,7 +631,6 @@ "<"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">%s</"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">" \ VGAUTH_REQUEST_FORMAT_END - #define VGAUTH_VALIDATESAMLBEARERTOKEN_REPLY_FORMAT_START \ VGAUTH_REPLY_FORMAT_START \ "<"VGAUTH_USERNAME_ELEMENT_NAME">%s</"VGAUTH_USERNAME_ELEMENT_NAME">" \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2011-2016, 2018-2019, 2021-2022 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -914,3 +914,148 @@ return err; } + + +/* + * Finds a cert with a subject (if checkSubj is set) or issuer (if + * checkSUbj is unset), matching 'val' in the list + * of certs. Returns a match or NULL. + */ + +static X509 * +FindCert(GList *cList, + X509_NAME *val, + int checkSubj) +{ + GList *l; + X509 *c; + X509_NAME *v; + + l = cList; + while (l != NULL) { + c = (X509 *) l->data; + if (checkSubj) { + v = X509_get_subject_name(c); + } else { + v = X509_get_issuer_name(c); + } + if (X509_NAME_cmp(val, v) == 0) { + return c; + } + l = l->next; + } + return NULL; +} + + +/* + ****************************************************************************** + * CertVerify_CheckForUnrelatedCerts -- */ /** + * + * Looks over a list of certs. If it finds that they are not all + * part of the same chain, returns failure. + * + * @param[in] numCerts The number of certs in the chain. + * @param[in] pemCerts The chain of certificates to verify. + * + * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. + * + ****************************************************************************** + */ + +VGAuthError +CertVerify_CheckForUnrelatedCerts(int numCerts, + const char **pemCerts) +{ + VGAuthError err = VGAUTH_E_FAIL; + int chainLen = 0; + int i; + X509 **certs = NULL; + GList *rawList = NULL; + X509 *baseCert; + X509 *curCert; + X509_NAME *subject; + X509_NAME *issuer; + + /* common single cert case; nothing to do */ + if (numCerts == 1) { + return VGAUTH_E_OK; + } + + /* convert all PEM to X509 objects */ + certs = g_malloc0(numCerts * sizeof(X509 *)); + for (i = 0; i < numCerts; i++) { + certs[i] = CertStringToX509(pemCerts[i]); + if (NULL == certs[i]) { + g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); + goto done; + } + } + + /* choose the cert to start the chain. shouldn't matter which */ + baseCert = certs[0]; + + /* put the rest into a list */ + for (i = 1; i < numCerts; i++) { + rawList = g_list_append(rawList, certs[i]); + } + + /* now chase down to a leaf, looking for certs the baseCert issued */ + subject = X509_get_subject_name(baseCert); + while ((curCert = FindCert(rawList, subject, 0)) != NULL) { + /* pull it from the list */ + rawList = g_list_remove(rawList, curCert); + /* set up the next find */ + subject = X509_get_subject_name(curCert); + } + + /* + * walk up to the root cert, by finding a cert where the + * issuer equals the subject of the current + */ + issuer = X509_get_issuer_name(baseCert); + while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { + /* pull it from the list */ + rawList = g_list_remove(rawList, curCert); + /* set up the next find */ + issuer = X509_get_issuer_name(curCert); + } + + /* + * At this point, anything on the list should be certs that are not part + * of the chain that includes the original 'baseCert'. + * + * For a valid token, the list should be empty. + */ + chainLen = g_list_length(rawList); + if (chainLen != 0 ) { + GList *l; + + g_warning("%s: %d unrelated certs found in list\n", + __FUNCTION__, chainLen); + + /* debug helper */ + l = rawList; + while (l != NULL) { + X509* c = (X509 *) l->data; + char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); + + g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); + free(s); + l = l->next; + } + + goto done; + } + + g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); + err = VGAUTH_E_OK; + +done: + g_list_free(rawList); + for (i = 0; i < numCerts; i++) { + X509_free(certs[i]); + } + g_free(certs); + return err; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2011-2016, 2020 VMware, Inc. All rights reserved. + * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -67,6 +67,10 @@ size_t signatureLen, const unsigned char *signature); + +VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, + const char **pemCerts); + gchar * CertVerify_StripPEMCert(const gchar *pemCert); gchar * CertVerify_CertToX509String(const gchar *pemCert); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2011-2019 VMware, Inc. All rights reserved. + * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -136,6 +136,8 @@ #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" /** The number of seconds slack allowed in either direction in SAML token date checks. */ #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" +/** If unrelated certificates are allowed in a SAML token */ +#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" /** Ticket group name. */ #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h new/open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-10-26 17:39:15.000000000 +0200 @@ -198,7 +198,7 @@ #define VGAUTH_PARAM_VALIDATE_INFO_ONLY "validateInfoOnly" -# define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified" +#define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified" VGAuthError VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx, const char *samlToken, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c new/open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c --- old/open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-10-26 17:39:15.000000000 +0200 @@ -49,6 +49,7 @@ #include "vmxlog.h" static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; +static gboolean gAllowUnrelatedCerts = FALSE; static xmlSchemaPtr gParsedSchemas = NULL; static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; @@ -369,6 +370,10 @@ VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); Log("%s: Allowing %d of clock skew for SAML date validation\n", __FUNCTION__, gClockSkewAdjustment); + gAllowUnrelatedCerts = Pref_GetBool(gPrefs, + VGAUTH_PREF_ALLOW_UNRELATED_CERTS, + VGAUTH_PREF_GROUP_NAME_SERVICE, + FALSE); } @@ -1697,6 +1702,15 @@ return VGAUTH_E_AUTHENTICATION_DENIED; } + if (!gAllowUnrelatedCerts) { + err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); + if (err != VGAUTH_E_OK) { + VMXLog_Log(VMXLOG_LEVEL_WARNING, + "Unrelated certs found in SAML token, failing\n"); + return VGAUTH_E_AUTHENTICATION_DENIED; + } + } + subj.type = SUBJECT_TYPE_NAMED; subj.name = *subjNameOut; err = ServiceVerifyAndCheckTrustCertChainForSubject(num, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c new/open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c --- old/open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-08-31 16:38:59.000000000 +0200 +++ new/open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-10-26 17:39:15.000000000 +0200 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2007-2018 VMware, Inc. All rights reserved. + * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -156,8 +156,7 @@ * * Obtains the library directory from the Tools locations database, then * opens a file descriptor (while still root) to add and remove blocks, - * drops privilege to the real uid of this process, and finally starts - * vmware-user. + * and finally starts vmware-user. * * Results: * Parent: TRUE on success, FALSE on failure. @@ -173,8 +172,6 @@ StartVMwareUser(char *const envp[]) { pid_t pid; - uid_t uid; - gid_t gid; int blockFd = -1; char blockFdStr[8]; int uinputFd = -1; @@ -191,8 +188,8 @@ } /* - * Now create a child process, obtain a file descriptor as root, downgrade - * privilege, and run vmware-user. + * Now create a child process, obtain a file descriptor as root and + * run vmware-user. */ pid = fork(); if (pid == -1) { @@ -229,23 +226,6 @@ } } - uid = getuid(); - gid = getgid(); - - if ((setreuid(uid, uid) != 0) || - (setregid(gid, gid) != 0)) { - Error("could not drop privileges: %s\n", strerror(errno)); - if (blockFd != -1) { - close(blockFd); - } - if (useWayland) { - if (uinputFd != -1) { - close(uinputFd); - } - } - return FALSE; - } - /* * Since vmware-user provides features that don't depend on vmblock, we * invoke vmware-user even if we couldn't obtain a file descriptor or we