Accepting request 1108317 from home:kallan:branches:Virtualization:VMware

- Fix (bsc#1214566) - (CVE-2023-20900) - VUL-0: CVE-2023-20900: open-vm-tools: SAML token signature bypass vulnerability + Add patch: CVE-20230-20900.patch OBS-URL: https://build.opensuse.org/request/show/1108317 OBS-URL: https://build.opensuse.org/package/show/Virtualization:VMware/open-vm-tools?expand=0&rev=440
2023-08-31 17:21:44 +00:00 · 2023-08-31 17:21:44 +00:00 · 79ad92f6bb
commit 79ad92f6bb
parent fe7306e787
3 changed files with 43 additions and 0 deletions
--- a/CVE-20230-20900.patch
+++ b/CVE-20230-20900.patch
@ -0,0 +1,34 @@
+From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Fri, 18 Aug 2023 11:23:53 -0700
+Subject: [PATCH] Address CVE-2023-20900
+
+VGAuth: Allow only X509 certs to verify the SAML token signature.
+
+---
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+index f5541a9..0b2a945 100644
+--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc,
+     */
+    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
+    if (bRet == FALSE) {
+-      g_warning("failed to register ID\n");
+      g_warning("Failed to register ID\n");
+      goto done;
+   }
+
+   /* Use only X509 certs to validate the signature */
+   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
+                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
+      g_warning("Failed to limit allowed key data\n");
+       goto done;
+    }
+ 
+-- 
+2.6.2
+
--- a/open-vm-tools.changes
+++ b/open-vm-tools.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug 28 15:10:27 UTC 2023 - Kirk Allan <kallan@suse.com>
+
+- Fix (bsc#1214566) - (CVE-2023-20900) - VUL-0: CVE-2023-20900:
+  open-vm-tools: SAML token signature bypass vulnerability
+  + Add patch: CVE-20230-20900.patch
+
 -------------------------------------------------------------------
 Tue Jun 27 19:54:05 UTC 2023 - Dirk Müller <dmueller@suse.com>

--- a/open-vm-tools.spec
+++ b/open-vm-tools.spec
@ -156,6 +156,7 @@ ExclusiveArch:  %ix86 x86_64 aarch64
 Patch2:         0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch
 Patch3:         0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch
 Patch4:         2023-20867-Remove-some-dead-code.patch
+Patch5:         CVE-20230-20900.patch

 #SUSE specific patches
 Patch0:         pam-vmtoolsd.patch
@ -261,6 +262,7 @@ sed -i -e "s/\r//" README
 %patch2 -p2
 %patch3 -p2
 %patch4 -p2
+%patch5 -p2

 #SUSE specific patches
 %patch0 -p2