Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

2019-05-25 Thread Bernd Zeimetz 
Hi Salvatore,

On 4/26/19 10:06 PM, Salvatore Bonaccorso wrote:
> Hi Bernd,
> 
> On Sat, Apr 13, 2019 at 09:56:16PM +0100, Adam D. Barratt wrote:
>> Control: tags -1 + confirmed
>>
>> On Fri, 2019-04-05 at 23:15 +0200, Bernd Zeimetz wrote:
>>> as discuassed with the security team, I'd like to fix #925959
>>> with the next stable pointrelease. The proposed debdiff is attached.
>>>
>>
>> Please go ahead.
> 
> Did you saw the the ack from Adam? It is now unfortunately too late
> for this upcoming point release, but would then be possible for the
> next one.

yes, unfortunately I was pretty busy, so it took some time :(

Uploaded a few seconds ago.

Bernd


-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

2019-04-26 Thread Salvatore Bonaccorso 
Hi Bernd,

On Sat, Apr 13, 2019 at 09:56:16PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2019-04-05 at 23:15 +0200, Bernd Zeimetz wrote:
> > as discuassed with the security team, I'd like to fix #925959
> > with the next stable pointrelease. The proposed debdiff is attached.
> > 
> 
> Please go ahead.

Did you saw the the ack from Adam? It is now unfortunately too late
for this upcoming point release, but would then be possible for the
next one.

Regards,
Salvatore

Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

2019-04-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2019-04-05 at 23:15 +0200, Bernd Zeimetz wrote:
> as discuassed with the security team, I'd like to fix #925959
> with the next stable pointrelease. The proposed debdiff is attached.
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

2019-04-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #926481 [release.debian.org] stretch-pu: package 
open-vm-tools/2:10.1.5-5055683-4+deb9u2
Added tag(s) confirmed.

-- 
926481: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

2019-04-05 Thread Bernd Zeimetz 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi release team,

as discuassed with the security team, I'd like to fix #925959
with the next stable pointrelease. The proposed debdiff is attached.


Please let me know if its okay to upload.

Thanks,

Bernd

-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F
diff --git a/debian/changelog b/debian/changelog
index 0be9f865..9b8f4cbb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+open-vm-tools (2:10.1.5-5055683-4+deb9u2) stable; urgency=medium
+
+  * [34db05f] /tmp/VMwareDnD permissions security fix.
+Fix possible security issue with the permissions of the intermediate
+staging directory and path
+/tmp/VMwareDnD is a staging directory used for DnD and CnP.  It should be
+a regular directory, but malicious code or user may create the 
/tmp/VMwareDnD
+as a symbolic link which points elsewhere on the system.  This may provide
+user access to user B's files.
+Do not set the permission of the root directory if the root directory
+already exists and has the wrong permission.  The permission of the 
directory
+must be 1777 if it is created by the VMToolsi.  If not, then the directory
+has been created or modified by malicious code or user, so just cancel the
+host to guest DnD or CnP operation. (Closes: #925959)
+
+ -- Bernd Zeimetz   Fri, 05 Apr 2019 23:10:04 +0200
+
 open-vm-tools (2:10.1.5-5055683-4+deb9u1) stretch; urgency=medium
 
   * [dec8df6] Upstream fix for CVE-2015-5191 (Closes: #869633)
diff --git 
a/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch 
b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
new file mode 100644
index ..43daed8a
--- /dev/null
+++ 
b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
@@ -0,0 +1,54 @@
+commit e88f91b00a715b79255de6576506d80ecfdb064c
+Author: Oliver Kurth 
+Date:   Tue Jan 29 14:03:19 2019 -0800
+
+Fix possible security issue with the permissions of the intermediate
+staging directory and path
+
+/tmp/VMwareDnD is a staging directory used for DnD and CnP.  It should be
+a regular directory, but malicious code or user may create the 
/tmp/VMwareDnD
+as a symbolic link which points elsewhere on the system.  This may provide
+user access to user B's files.
+
+Do not set the permission of the root directory if the root directory
+already exists and has the wrong permission.  The permission of the 
directory
+must be 1777 if it is created by the VMToolsi.  If not, then the directory
+has been created or modified by malicious code or user, so just cancel the
+host to guest DnD or CnP operation.
+
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
 b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+@@ -276,12 +276,11 @@ DnDCreateRootStagingDirectory(void)
+}
+ 
+if (File_Exists(root)) {
+-  if (!DnDRootDirUsable(root) &&
+-  !DnDSetPermissionsOnRootDir(root)) {
++  if (!DnDRootDirUsable(root)) {
+  /*
+-  * The directory already exists and its permissions are wrong and
+-  * cannot be set, so there's not much we can do.
++  * The directory already exists and its permissions are wrong.
+   */
++ Log("%s: The root dir is not usable.\n", __FUNCTION__);
+  return NULL;
+   }
+} else {
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
 b/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
+@@ -318,12 +318,11 @@ CreateApparentRootDirectory(void)
+}
+ 
+if (File_Exists(root)) {
+-  if (   !DnDRootDirUsable(root)
+-  && !DnDSetPermissionsOnRootDir(root)) {
++  if (!DnDRootDirUsable(root)) {
+  /*
+-  * The directory already exists and its permissions are wrong and
+-  * cannot be set, so there's not much we can do.
++  * The directory already exists and its permissions are wrong.
+   */
++ Log_Trivia("dnd: The root dir is not usable.\n");
+  return NULL;
+   }
+} else {
diff --git a/debian/patches/series b/debian/patches/series
index 2c8fbff7..58f5849b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ from_arch/0001-Fix-vmxnet-module-on-kernels-3.16.patch
 debian/enable_vmhgfs-fuse_by_default
 debian/vmxnet_fix_kernel_4.7.patch
 debian/cve-2015-5191.patch
+e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch