Accepting request 1109309 from home:kallan:branches:Virtualization:VMware
- Update to 12.3.0 (build 22234872) (boo#1214850) - There are no new features in the open-vm-tools 12.3.0 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release integrates CVE-2023-20900 without the need for a patch. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - A tools.conf configuration setting is available to temporaily direct Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen. - Building of the VMware Guest Authentication Service (VGAuth) using "xml-security-c" and "xerces-c" is being deprecated. - A number of Coverity reported issues have been addressed. - A number of GitHub issues and pull requests have been handled. Please see the Resolves Issues section of the Release Notes. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md - The granular changes that have gone into the 12.3.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog - Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests - jsc-PED-1344 - reinable building containerinfo plugin for SLES 15 SP4. - Drop patch now contained in 12.3.0: + 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch + 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch OBS-URL: https://build.opensuse.org/request/show/1109309 OBS-URL: https://build.opensuse.org/package/show/Virtualization:VMware/open-vm-tools?expand=0&rev=442
This commit is contained in:
parent
79ad92f6bb
commit
da0d25dcbe
@ -1,162 +0,0 @@
|
||||
From 50d7dc0102751808823640321ec1da5d34811978 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Wed, 3 May 2023 00:48:14 +0200
|
||||
Subject: [PATCH 1/2] build: put -l specifiers into LIBADD, not LDFLAGS
|
||||
References: https://github.com/vmware/open-vm-tools/pull/664
|
||||
|
||||
Linking order matters.
|
||||
LDFLAGS is the *totally* *wrong* place for -l.
|
||||
Replace by LDLIBS / xxx_LDADD / xxx_LIBADD.
|
||||
---
|
||||
open-vm-tools/libDeployPkg/Makefile.am | 3 +--
|
||||
open-vm-tools/libappmonitor/Makefile.am | 6 ++----
|
||||
open-vm-tools/libguestStoreClient/Makefile.am | 2 +-
|
||||
open-vm-tools/libguestlib/Makefile.am | 6 ++----
|
||||
open-vm-tools/libhgfs/Makefile.am | 2 +-
|
||||
open-vm-tools/libvmtools/Makefile.am | 2 +-
|
||||
open-vm-tools/services/plugins/containerInfo/Makefile.am | 6 +++---
|
||||
open-vm-tools/tests/testVmblock/Makefile.am | 4 ++--
|
||||
open-vm-tools/vgauth/lib/Makefile.am | 2 +-
|
||||
9 files changed, 14 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/open-vm-tools/libDeployPkg/Makefile.am b/open-vm-tools/libDeployPkg/Makefile.am
|
||||
index 15728126..5f080744 100644
|
||||
--- a/open-vm-tools/libDeployPkg/Makefile.am
|
||||
+++ b/open-vm-tools/libDeployPkg/Makefile.am
|
||||
@@ -36,10 +36,9 @@ libDeployPkg_la_SOURCES += processPosix.c
|
||||
libDeployPkg_la_SOURCES += linuxDeploymentUtilities.c
|
||||
libDeployPkg_la_SOURCES += linuxDeploymentUtilities.h
|
||||
|
||||
-libDeployPkg_la_LDFLAGS =
|
||||
# We require GCC, so we're fine passing compiler-specific flags.
|
||||
# Needed for OS's that don't link shared libraries against libc by default, e.g. FreeBSD
|
||||
-libDeployPkg_la_LDFLAGS += -Wl,-lc
|
||||
+libDeployPkg_la_LIBADD += -lc
|
||||
|
||||
libDeployPkg_includedir = $(includedir)/libDeployPkg
|
||||
|
||||
diff --git a/open-vm-tools/libappmonitor/Makefile.am b/open-vm-tools/libappmonitor/Makefile.am
|
||||
index 2681eb79..be6b6a30 100644
|
||||
--- a/open-vm-tools/libappmonitor/Makefile.am
|
||||
+++ b/open-vm-tools/libappmonitor/Makefile.am
|
||||
@@ -48,12 +48,10 @@ libappmonitor_la_SOURCES += $(libappmonitor_rpcchanneldir)/vsockChannel.c
|
||||
libappmonitor_la_SOURCES += $(libappmonitor_rpcchanneldir)/simpleSocket.c
|
||||
endif
|
||||
|
||||
-libappmonitor_la_LDFLAGS =
|
||||
-libappmonitor_la_LDFLAGS += -Wl,-ldl
|
||||
-libappmonitor_la_LDFLAGS += -Wl,-lrt
|
||||
+libappmonitor_la_LIBADD += -ldl -lrt
|
||||
# We require GCC, so we're fine passing compiler-specific flags.
|
||||
# Needed for OS's that don't link shared libraries against libc by default, e.g. FreeBSD
|
||||
-libappmonitor_la_LDFLAGS += -Wl,-lc
|
||||
+libappmonitor_la_LIBADD += -lc
|
||||
|
||||
libappmonitor_includedir = $(includedir)/libappmonitor
|
||||
|
||||
diff --git a/open-vm-tools/libguestStoreClient/Makefile.am b/open-vm-tools/libguestStoreClient/Makefile.am
|
||||
index adf69309..2dee8e7b 100644
|
||||
--- a/open-vm-tools/libguestStoreClient/Makefile.am
|
||||
+++ b/open-vm-tools/libguestStoreClient/Makefile.am
|
||||
@@ -33,4 +33,4 @@ libguestStoreClient_la_LDFLAGS =
|
||||
libguestStoreClient_la_LDFLAGS += -Wl,-z,defs
|
||||
# Needed for OS's that don't link shared libraries against libc by
|
||||
#default, e.g. FreeBSD
|
||||
-libguestStoreClient_la_LDFLAGS += -Wl,-lc
|
||||
+libguestStoreClient_la_LIBADD += -lc
|
||||
diff --git a/open-vm-tools/libguestlib/Makefile.am b/open-vm-tools/libguestlib/Makefile.am
|
||||
index d2cfb80a..5175b442 100644
|
||||
--- a/open-vm-tools/libguestlib/Makefile.am
|
||||
+++ b/open-vm-tools/libguestlib/Makefile.am
|
||||
@@ -50,12 +50,10 @@ libguestlib_la_SOURCES += $(libguestlib_rpcchanneldir)/vsockChannel.c
|
||||
libguestlib_la_SOURCES += $(libguestlib_rpcchanneldir)/simpleSocket.c
|
||||
endif
|
||||
|
||||
-libguestlib_la_LDFLAGS =
|
||||
-libguestlib_la_LDFLAGS += -Wl,-ldl
|
||||
-libguestlib_la_LDFLAGS += -Wl,-lrt
|
||||
+libguestlib_la_LIBADD += -ldl -lrt
|
||||
# We require GCC, so we're fine passing compiler-specific flags.
|
||||
# Needed for OS's that don't link shared libraries against libc by default, e.g. FreeBSD
|
||||
-libguestlib_la_LDFLAGS += -Wl,-lc
|
||||
+libguestlib_la_LIBADD += -lc
|
||||
|
||||
libguestlib_includedir = $(includedir)/vmGuestLib
|
||||
|
||||
diff --git a/open-vm-tools/libhgfs/Makefile.am b/open-vm-tools/libhgfs/Makefile.am
|
||||
index 76091452..c388da75 100644
|
||||
--- a/open-vm-tools/libhgfs/Makefile.am
|
||||
+++ b/open-vm-tools/libhgfs/Makefile.am
|
||||
@@ -41,5 +41,5 @@ libhgfs_la_LDFLAGS =
|
||||
libhgfs_la_LDFLAGS += -Wl,-z,defs
|
||||
# Needed for OS's that don't link shared libraries against libc by
|
||||
#default, e.g. FreeBSD
|
||||
-libhgfs_la_LDFLAGS += -Wl,-lc
|
||||
+libhgfs_la_LIBADD += -lc
|
||||
|
||||
diff --git a/open-vm-tools/libvmtools/Makefile.am b/open-vm-tools/libvmtools/Makefile.am
|
||||
index 6da97362..a2f9a241 100644
|
||||
--- a/open-vm-tools/libvmtools/Makefile.am
|
||||
+++ b/open-vm-tools/libvmtools/Makefile.am
|
||||
@@ -89,5 +89,5 @@ libvmtools_la_LDFLAGS =
|
||||
libvmtools_la_LDFLAGS += -Wl,-z,defs
|
||||
# Needed for OS's that don't link shared libraries against libc by
|
||||
#default, e.g. FreeBSD
|
||||
-libvmtools_la_LDFLAGS += -Wl,-lc
|
||||
+libvmtools_la_LIBADD += -lc
|
||||
|
||||
diff --git a/open-vm-tools/services/plugins/containerInfo/Makefile.am b/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
index 488e35aa..10b4dfae 100644
|
||||
--- a/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
+++ b/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
@@ -36,7 +36,7 @@ libcontainerInfo_la_SOURCES += containerInfoInt.h
|
||||
libcontainerInfo_la_SOURCES += containerInfo.c
|
||||
|
||||
libcontainerInfo_la_SOURCES += containerInfo_docker.c
|
||||
-libcontainerInfo_la_LDFLAGS += -lcurl
|
||||
+libcontainerInfo_la_LIBADD += -lcurl
|
||||
libcontainerInfo_la_CPPFLAGS += @CURL_CPPFLAGS@
|
||||
libcontainerInfo_la_LIBADD += ../../../lib/jsmn/libJsmn.la
|
||||
|
||||
@@ -61,8 +61,8 @@ libcontainerInfo_la_SOURCES += containers.grpc.pb.cc
|
||||
libcontainerInfo_la_SOURCES += containerInfo_grpc.cc
|
||||
|
||||
libcontainerInfo_la_CPPFLAGS += @GRPC_CPPFLAGS@
|
||||
-libcontainerInfo_la_LDFLAGS += -lprotobuf
|
||||
-libcontainerInfo_la_LDFLAGS += -lgrpc++
|
||||
+libcontainerInfo_la_LIBADD += -lprotobuf
|
||||
+libcontainerInfo_la_LIBADD += -lgrpc++
|
||||
|
||||
tasks.grpc.pb.cc containers.grpc.pb.cc: %.grpc.pb.cc : %.proto %.pb.cc
|
||||
$(PROTOC) -I. -I$(GOGO_PROTOPATH) \
|
||||
diff --git a/open-vm-tools/tests/testVmblock/Makefile.am b/open-vm-tools/tests/testVmblock/Makefile.am
|
||||
index 1fd469d5..ae6c79fe 100644
|
||||
--- a/open-vm-tools/tests/testVmblock/Makefile.am
|
||||
+++ b/open-vm-tools/tests/testVmblock/Makefile.am
|
||||
@@ -29,8 +29,8 @@ AM_CFLAGS =
|
||||
AM_CFLAGS += -DVMX86_DEVEL
|
||||
AM_CFLAGS += -DVMX86_DEBUG
|
||||
|
||||
-AM_LDFLAGS =
|
||||
-AM_LDFLAGS += -lpthread
|
||||
+LDLIBS =
|
||||
+LDLIBS += -lpthread
|
||||
|
||||
vmware_testvmblock_fuse_CFLAGS = $(AM_CFLAGS) -Dvmblock_fuse
|
||||
vmware_testvmblock_fuse_SOURCES = vmblocktest.c
|
||||
diff --git a/open-vm-tools/vgauth/lib/Makefile.am b/open-vm-tools/vgauth/lib/Makefile.am
|
||||
index bce97aac..88944f19 100644
|
||||
--- a/open-vm-tools/vgauth/lib/Makefile.am
|
||||
+++ b/open-vm-tools/vgauth/lib/Makefile.am
|
||||
@@ -59,7 +59,7 @@ libvgauth_la_LDFLAGS =
|
||||
libvgauth_la_LDFLAGS += -Wl,-z,defs
|
||||
# Needed for OS's that don't link shared libraries against libc by
|
||||
#default, e.g. FreeBSD
|
||||
-libvgauth_la_LDFLAGS += -Wl,-lc
|
||||
+libvgauth_la_LIBADD += -lc
|
||||
|
||||
# Message catalogs.
|
||||
install-data-hook:
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 7f97b8ac1df51da902c2db05e488e52bb3068149 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Wed, 3 May 2023 00:48:56 +0200
|
||||
Subject: [PATCH 2/2] build: use grpc++ pkgconfig to retrieve flags/libraries
|
||||
References: https://github.com/vmware/open-vm-tools/pull/664
|
||||
|
||||
When a .pc file exists, it should be used. Fixes obvious linking problems like
|
||||
|
||||
ld: .libs/libcontainerInfo_la-containers.grpc.pb.o: in function `grpc::ByteBuffer::~ByteBuffer()':
|
||||
/usr/include/grpcpp/support/byte_buffer.h:99: undefined reference to `grpc_byte_buffer_destroy'
|
||||
collect2: error: ld returned 1 exit status
|
||||
make[4]: *** [Makefile:649: libcontainerInfo.la] Error 1
|
||||
---
|
||||
open-vm-tools/configure.ac | 2 ++
|
||||
open-vm-tools/services/plugins/containerInfo/Makefile.am | 4 ++--
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/open-vm-tools/configure.ac b/open-vm-tools/configure.ac
|
||||
index 5f9a1937..fd8c2db0 100644
|
||||
--- a/open-vm-tools/configure.ac
|
||||
+++ b/open-vm-tools/configure.ac
|
||||
@@ -723,6 +723,8 @@ AC_DEFUN([AC_VMW_CONTAINERINFO_MSG],[
|
||||
[],
|
||||
[AC_VMW_CONTAINERINFO_MSG(["grpc++ >= 1.3.2"])])
|
||||
|
||||
+PKG_CHECK_MODULES([grpcxx], [grpc++ >= 1.3.2])
|
||||
+
|
||||
#
|
||||
# proto files needed by containerd grpc client.
|
||||
#
|
||||
diff --git a/open-vm-tools/services/plugins/containerInfo/Makefile.am b/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
index 10b4dfae..74d9c8f0 100644
|
||||
--- a/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
+++ b/open-vm-tools/services/plugins/containerInfo/Makefile.am
|
||||
@@ -60,9 +60,9 @@ libcontainerInfo_la_SOURCES += containers.grpc.pb.h
|
||||
libcontainerInfo_la_SOURCES += containers.grpc.pb.cc
|
||||
libcontainerInfo_la_SOURCES += containerInfo_grpc.cc
|
||||
|
||||
-libcontainerInfo_la_CPPFLAGS += @GRPC_CPPFLAGS@
|
||||
+libcontainerInfo_la_CPPFLAGS += ${grpcxx_CFLAGS}
|
||||
libcontainerInfo_la_LIBADD += -lprotobuf
|
||||
-libcontainerInfo_la_LIBADD += -lgrpc++
|
||||
+libcontainerInfo_la_LIBADD += ${grpcxx_LIBS}
|
||||
|
||||
tasks.grpc.pb.cc containers.grpc.pb.cc: %.grpc.pb.cc : %.proto %.pb.cc
|
||||
$(PROTOC) -I. -I$(GOGO_PROTOPATH) \
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,156 +0,0 @@
|
||||
From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001
|
||||
From: John Wolfe <jwolfe@vmware.com>
|
||||
Date: Mon, 8 May 2023 19:04:57 -0700
|
||||
Subject: [PATCH] Remove some dead code.
|
||||
|
||||
Address CVE-2023-20867.
|
||||
Remove some authentication types which were deprecated long
|
||||
ago and are no longer in use. These are dead code.
|
||||
---
|
||||
open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
|
||||
1 file changed, 102 deletions(-)
|
||||
|
||||
diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
|
||||
index 9f376a7..85c5ba7 100644
|
||||
--- a/open-vm-tools/services/plugins/vix/vixTools.c
|
||||
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
|
||||
@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
|
||||
#define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
|
||||
#define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
|
||||
|
||||
-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
|
||||
-
|
||||
/*
|
||||
* The switch that controls all APIs
|
||||
*/
|
||||
@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
|
||||
|
||||
void GuestAuthUnimpersonate();
|
||||
|
||||
-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
|
||||
- const char *typeName);
|
||||
-
|
||||
#if SUPPORT_VGAUTH
|
||||
|
||||
VGAuthError TheVGAuthContext(VGAuthContext **ctx);
|
||||
@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
|
||||
userToken);
|
||||
break;
|
||||
}
|
||||
- case VIX_USER_CREDENTIAL_ROOT:
|
||||
- {
|
||||
- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
|
||||
- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
|
||||
- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
|
||||
- /*
|
||||
- * Don't accept hashed shared secret if disabled.
|
||||
- */
|
||||
- g_message("%s: Requested authentication type has been disabled.\n",
|
||||
- __FUNCTION__);
|
||||
- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
- // fall through
|
||||
-
|
||||
- case VIX_USER_CREDENTIAL_CONSOLE_USER:
|
||||
- err = VixToolsImpersonateUserImplEx(NULL,
|
||||
- credentialType,
|
||||
- NULL,
|
||||
- loadUserProfile,
|
||||
- userToken);
|
||||
- break;
|
||||
case VIX_USER_CREDENTIAL_NAME_PASSWORD:
|
||||
case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
|
||||
case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
|
||||
@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
|
||||
}
|
||||
|
||||
/*
|
||||
- * If the VMX asks to be root, then we allow them.
|
||||
- * The VMX will make sure that only it will pass this value in,
|
||||
- * and only when the VM and host are configured to allow this.
|
||||
- */
|
||||
- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
|
||||
- && (thisProcessRunsAsRoot)) {
|
||||
- *userToken = PROCESS_CREATOR_USER_TOKEN;
|
||||
-
|
||||
- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
|
||||
- err = VIX_OK;
|
||||
- goto quit;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * If the VMX asks to be root, then we allow them.
|
||||
- * The VMX will make sure that only it will pass this value in,
|
||||
- * and only when the VM and host are configured to allow this.
|
||||
- *
|
||||
- * XXX This has been deprecated XXX
|
||||
- */
|
||||
- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
|
||||
- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
|
||||
- *userToken = PROCESS_CREATOR_USER_TOKEN;
|
||||
-
|
||||
- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
|
||||
- err = VIX_OK;
|
||||
- goto quit;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
* If the VMX asks us to run commands in the context of the current
|
||||
* user, make sure that the user who requested the command is the
|
||||
* same as the current user.
|
||||
@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
|
||||
/*
|
||||
*-----------------------------------------------------------------------------
|
||||
*
|
||||
- * VixToolsCheckIfAuthenticationTypeEnabled --
|
||||
- *
|
||||
- * Checks to see if a given authentication type has been
|
||||
- * disabled via the tools configuration.
|
||||
- *
|
||||
- * Return value:
|
||||
- * TRUE if enabled, FALSE otherwise.
|
||||
- *
|
||||
- * Side effects:
|
||||
- * None
|
||||
- *
|
||||
- *-----------------------------------------------------------------------------
|
||||
- */
|
||||
-
|
||||
-static Bool
|
||||
-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
|
||||
- const char *typeName) // IN
|
||||
-{
|
||||
- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
|
||||
- gboolean disabled;
|
||||
-
|
||||
- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
|
||||
- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
|
||||
- typeName);
|
||||
-
|
||||
- ASSERT(confDictRef != NULL);
|
||||
-
|
||||
- /*
|
||||
- * XXX Skip doing the strcmp() to verify the auth type since we only
|
||||
- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
|
||||
- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
|
||||
- */
|
||||
- disabled = VMTools_ConfigGetBoolean(confDictRef,
|
||||
- VIX_TOOLS_CONFIG_API_GROUPNAME,
|
||||
- authnDisabledName,
|
||||
- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
|
||||
-
|
||||
- return !disabled;
|
||||
-}
|
||||
-
|
||||
-
|
||||
-/*
|
||||
- *-----------------------------------------------------------------------------
|
||||
- *
|
||||
* VixTools_ProcessVixCommand --
|
||||
*
|
||||
*
|
||||
--
|
||||
2.6.2
|
||||
|
@ -1,34 +0,0 @@
|
||||
From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001
|
||||
From: John Wolfe <jwolfe@vmware.com>
|
||||
Date: Fri, 18 Aug 2023 11:23:53 -0700
|
||||
Subject: [PATCH] Address CVE-2023-20900
|
||||
|
||||
VGAuth: Allow only X509 certs to verify the SAML token signature.
|
||||
|
||||
---
|
||||
open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
|
||||
index f5541a9..0b2a945 100644
|
||||
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
|
||||
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
|
||||
@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc,
|
||||
*/
|
||||
bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
|
||||
if (bRet == FALSE) {
|
||||
- g_warning("failed to register ID\n");
|
||||
+ g_warning("Failed to register ID\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Use only X509 certs to validate the signature */
|
||||
+ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
|
||||
+ BAD_CAST xmlSecKeyDataX509Id) < 0) {
|
||||
+ g_warning("Failed to limit allowed key data\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.6.2
|
||||
|
4
_service
4
_service
@ -2,9 +2,9 @@
|
||||
<service name="tar_scm" mode="disabled">
|
||||
<param name="scm">git</param>
|
||||
<param name="url">https://github.com/vmware/open-vm-tools.git</param>
|
||||
<param name="revision">stable-12.2.0</param>
|
||||
<param name="revision">stable-12.3.0</param>
|
||||
<param name="filename">open-vm-tools</param>
|
||||
<param name="versionformat">12.2.0</param>
|
||||
<param name="versionformat">12.3.0</param>
|
||||
</service>
|
||||
<service name="recompress" mode="disabled">
|
||||
<param name="file">*.tar</param>
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ef22adf11d16a8bc675d1c73c190d178e791ee247d6cabfe78df9c56c9fae8c0
|
||||
size 1801020
|
3
open-vm-tools-12.3.0.tar.xz
Normal file
3
open-vm-tools-12.3.0.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:034abbf1dbf34425789a94cc9de2551f0ef57b799712a9a610366c25c2a07ba3
|
||||
size 1808920
|
@ -1,3 +1,42 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 6 15:52:41 UTC 2023 - Kirk Allan <kallan@suse.com>
|
||||
|
||||
- Update to 12.3.0 (build 22234872) (boo#1214850)
|
||||
- There are no new features in the open-vm-tools 12.3.0 release. This is
|
||||
primarily a maintenance release that addresses a few critical problems,
|
||||
including:
|
||||
- This release integrates CVE-2023-20900 without the need for a patch.
|
||||
For more information on this vulnerability and its impact on VMware
|
||||
products, see
|
||||
https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
|
||||
- A tools.conf configuration setting is available to temporaily direct
|
||||
Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior
|
||||
of ignoring file systems already frozen.
|
||||
- Building of the VMware Guest Authentication Service (VGAuth) using
|
||||
"xml-security-c" and "xerces-c" is being deprecated.
|
||||
- A number of Coverity reported issues have been addressed.
|
||||
- A number of GitHub issues and pull requests have been handled.
|
||||
Please see the Resolves Issues section of the Release Notes.
|
||||
- For issues resolved in this release, see the Resolved Issues section
|
||||
of the Release Notes.
|
||||
- For complete details, see:
|
||||
https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0
|
||||
- Release Notes are available at
|
||||
https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md
|
||||
- The granular changes that have gone into the 12.3.0 release are in the
|
||||
ChangeLog at
|
||||
https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog
|
||||
|
||||
- Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests
|
||||
|
||||
- jsc-PED-1344 - reinable building containerinfo plugin for SLES 15 SP4.
|
||||
|
||||
- Drop patch now contained in 12.3.0:
|
||||
+ 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch
|
||||
+ 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch
|
||||
+ 2023-20867-Remove-some-dead-code.patch
|
||||
+ CVE-20230-20900.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 28 15:10:27 UTC 2023 - Kirk Allan <kallan@suse.com>
|
||||
|
||||
|
@ -38,7 +38,7 @@
|
||||
%define with_X 1
|
||||
|
||||
Name: open-vm-tools
|
||||
Version: 12.2.0
|
||||
Version: 12.3.0
|
||||
Release: 0
|
||||
Summary: Open Virtual Machine Tools
|
||||
License: BSD-3-Clause AND GPL-2.0-only AND LGPL-2.1-only
|
||||
@ -69,7 +69,7 @@ BuildRequires: pam-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: procps-devel
|
||||
BuildRequires: update-desktop-files
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150500
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
BuildRequires: containerd-devel
|
||||
BuildRequires: grpc-devel
|
||||
BuildRequires: libcurl-devel
|
||||
@ -106,7 +106,11 @@ BuildRequires: pkgconfig(libudev)
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 0120300
|
||||
BuildRequires: libxml2-devel
|
||||
BuildRequires: pkgconfig(xmlsec1)
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 0150400
|
||||
Requires: libxmlsec1-openssl1 >= 1.2.37
|
||||
%else
|
||||
Requires: libxmlsec1-openssl1 >= 1.2.28
|
||||
%endif
|
||||
%define arg_xmlsec1 --enable-xmlsec1
|
||||
%else
|
||||
# Leap 42.1 and 42.2 supports xmlsec1 and libxmlsec1-openssl1 but 12 SP1 and
|
||||
@ -153,10 +157,6 @@ Obsoletes: open-vm-tools-deploypkg <= 10.0.5
|
||||
Supplements: modalias(pci:v000015ADd*sv*sd*bc*sc*i*)
|
||||
ExclusiveArch: %ix86 x86_64 aarch64
|
||||
#Upstream patches
|
||||
Patch2: 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch
|
||||
Patch3: 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch
|
||||
Patch4: 2023-20867-Remove-some-dead-code.patch
|
||||
Patch5: CVE-20230-20900.patch
|
||||
|
||||
#SUSE specific patches
|
||||
Patch0: pam-vmtoolsd.patch
|
||||
@ -243,7 +243,7 @@ Requires: libvmtools0 = %{version}
|
||||
Those are the development headers for libvmtools. They are needed
|
||||
if you intend to create own plugins for vmtoolsd.
|
||||
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150500
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
%package containerinfo
|
||||
Summary: Container Info Plugin
|
||||
Group: System Environment/Libraries
|
||||
@ -259,10 +259,6 @@ This package interfaces with the container runtime to retrieve a list of contain
|
||||
# fix for an rpmlint warning regarding wrong line feeds
|
||||
sed -i -e "s/\r//" README
|
||||
#Upstream patches
|
||||
%patch2 -p2
|
||||
%patch3 -p2
|
||||
%patch4 -p2
|
||||
%patch5 -p2
|
||||
|
||||
#SUSE specific patches
|
||||
%patch0 -p2
|
||||
@ -318,6 +314,10 @@ make
|
||||
%install
|
||||
%make_install
|
||||
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
mkdir -p %buildroot%_modulesloaddir
|
||||
echo vmw_vsock_vmci_transport > %buildroot%_modulesloaddir/vmw_vsock_vmci_transport.conf
|
||||
%endif
|
||||
mkdir -p %{buildroot}%{_sbindir}
|
||||
|
||||
# Remove exec bit from config files
|
||||
@ -457,7 +457,7 @@ systemctl try-restart vmtoolsd.service || :
|
||||
|
||||
%postun -n libvmtools0 -p /sbin/ldconfig
|
||||
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150500
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
%post containerinfo
|
||||
systemctl try-restart vmtoolsd.service || :
|
||||
|
||||
@ -466,6 +466,9 @@ systemctl try-restart vmtoolsd.service || :
|
||||
%endif
|
||||
|
||||
%files
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
%_modulesloaddir/vmw_vsock_vmci_transport.conf
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 0120300
|
||||
%license COPYING
|
||||
%doc AUTHORS ChangeLog NEWS README
|
||||
@ -590,7 +593,7 @@ systemctl try-restart vmtoolsd.service || :
|
||||
%{_includedir}/libDeployPkg
|
||||
%{_libdir}/pkgconfig/libDeployPkg.pc
|
||||
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150500
|
||||
%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150400
|
||||
%files containerinfo
|
||||
%{_libdir}/%{name}/plugins/vmsvc/libcontainerInfo.so
|
||||
%endif
|
||||
|
Loading…
Reference in New Issue
Block a user