* [PR PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
@ 2023-10-27 13:44 Piraty
2023-10-27 13:54 ` [PR PATCH] [Updated] " Piraty
2023-10-27 14:01 ` [PR PATCH] [Merged]: " Piraty
0 siblings, 2 replies; 3+ messages in thread
From: Piraty @ 2023-10-27 13:44 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 479 bytes --]
There is a new pull request by Piraty against master on the void-packages repository
https://github.com/Piraty/void-packages open-vm-tools-CVE-2023-34059
https://github.com/void-linux/void-packages/pull/46932
open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2
A patch file from https://github.com/void-linux/void-packages/pull/46932.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-open-vm-tools-CVE-2023-34059-46932.patch --]
[-- Type: text/x-diff, Size: 14721 bytes --]
From bbb4a8dba8565a5e183d2ed35ca22166ed0422e9 Mon Sep 17 00:00:00 2001
From: Piraty <mail@piraty.dev>
Date: Fri, 27 Oct 2023 15:43:00 +0200
Subject: [PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2
---
.../patches/CVE-2023-34058.patch | 237 ++++++++++++++++++
.../patches/CVE-2023-34059.patch | 182 ++++++++++++++
srcpkgs/open-vm-tools/template | 2 +-
3 files changed, 420 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
create mode 100644 srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
diff --git a/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch b/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
new file mode 100644
index 0000000000000..0fc34d714908c
--- /dev/null
+++ b/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
@@ -0,0 +1,237 @@
+From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Wed, 18 Oct 2023 09:04:07 -0700
+Subject: [PATCH] Address CVE-2023-34058
+
+VGAuth: don't accept tokens with unrelated certs.
+
+---
+ open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++++++++
+ open-vm-tools/vgauth/common/certverify.h | 4 +
+ open-vm-tools/vgauth/common/prefs.h | 2 +
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++
+ 4 files changed, 165 insertions(+)
+
+diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c
+index 0ed78ed..e1d7cc6 100644
+--- a/open-vm-tools/vgauth/common/certverify.c
++++ b/open-vm-tools/vgauth/common/certverify.c
+@@ -914,3 +914,148 @@ done:
+
+ return err;
+ }
++
++
++/*
++ * Finds a cert with a subject (if checkSubj is set) or issuer (if
++ * checkSUbj is unset), matching 'val' in the list
++ * of certs. Returns a match or NULL.
++ */
++
++static X509 *
++FindCert(GList *cList,
++ X509_NAME *val,
++ int checkSubj)
++{
++ GList *l;
++ X509 *c;
++ X509_NAME *v;
++
++ l = cList;
++ while (l != NULL) {
++ c = (X509 *) l->data;
++ if (checkSubj) {
++ v = X509_get_subject_name(c);
++ } else {
++ v = X509_get_issuer_name(c);
++ }
++ if (X509_NAME_cmp(val, v) == 0) {
++ return c;
++ }
++ l = l->next;
++ }
++ return NULL;
++}
++
++
++/*
++ ******************************************************************************
++ * CertVerify_CheckForUnrelatedCerts -- */ /**
++ *
++ * Looks over a list of certs. If it finds that they are not all
++ * part of the same chain, returns failure.
++ *
++ * @param[in] numCerts The number of certs in the chain.
++ * @param[in] pemCerts The chain of certificates to verify.
++ *
++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
++ *
++ ******************************************************************************
++ */
++
++VGAuthError
++CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts)
++{
++ VGAuthError err = VGAUTH_E_FAIL;
++ int chainLen = 0;
++ int i;
++ X509 **certs = NULL;
++ GList *rawList = NULL;
++ X509 *baseCert;
++ X509 *curCert;
++ X509_NAME *subject;
++ X509_NAME *issuer;
++
++ /* common single cert case; nothing to do */
++ if (numCerts == 1) {
++ return VGAUTH_E_OK;
++ }
++
++ /* convert all PEM to X509 objects */
++ certs = g_malloc0(numCerts * sizeof(X509 *));
++ for (i = 0; i < numCerts; i++) {
++ certs[i] = CertStringToX509(pemCerts[i]);
++ if (NULL == certs[i]) {
++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
++ goto done;
++ }
++ }
++
++ /* choose the cert to start the chain. shouldn't matter which */
++ baseCert = certs[0];
++
++ /* put the rest into a list */
++ for (i = 1; i < numCerts; i++) {
++ rawList = g_list_append(rawList, certs[i]);
++ }
++
++ /* now chase down to a leaf, looking for certs the baseCert issued */
++ subject = X509_get_subject_name(baseCert);
++ while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ subject = X509_get_subject_name(curCert);
++ }
++
++ /*
++ * walk up to the root cert, by finding a cert where the
++ * issuer equals the subject of the current
++ */
++ issuer = X509_get_issuer_name(baseCert);
++ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ issuer = X509_get_issuer_name(curCert);
++ }
++
++ /*
++ * At this point, anything on the list should be certs that are not part
++ * of the chain that includes the original 'baseCert'.
++ *
++ * For a valid token, the list should be empty.
++ */
++ chainLen = g_list_length(rawList);
++ if (chainLen != 0 ) {
++ GList *l;
++
++ g_warning("%s: %d unrelated certs found in list\n",
++ __FUNCTION__, chainLen);
++
++ /* debug helper */
++ l = rawList;
++ while (l != NULL) {
++ X509* c = (X509 *) l->data;
++ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
++
++ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
++ free(s);
++ l = l->next;
++ }
++
++ goto done;
++ }
++
++ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__);
++ err = VGAUTH_E_OK;
++
++done:
++ g_list_free(rawList);
++ for (i = 0; i < numCerts; i++) {
++ X509_free(certs[i]);
++ }
++ g_free(certs);
++ return err;
++}
+diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h
+index d7c6410..f582bb8 100644
+--- a/open-vm-tools/vgauth/common/certverify.h
++++ b/open-vm-tools/vgauth/common/certverify.h
+@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash,
+ size_t signatureLen,
+ const unsigned char *signature);
+
++
++VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts);
++
+ gchar * CertVerify_StripPEMCert(const gchar *pemCert);
+
+ gchar * CertVerify_CertToX509String(const gchar *pemCert);
+diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
+index ff11692..87ccc9b 100644
+--- a/open-vm-tools/vgauth/common/prefs.h
++++ b/open-vm-tools/vgauth/common/prefs.h
+@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
+ #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir"
+ /** The number of seconds slack allowed in either direction in SAML token date checks. */
+ #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment"
++/** If unrelated certificates are allowed in a SAML token */
++#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts"
+
+ /** Ticket group name. */
+ #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket"
+diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+index 14cba1b..57e9316 100644
+--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -49,6 +49,7 @@
+ #include "vmxlog.h"
+
+ static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
++static gboolean gAllowUnrelatedCerts = FALSE;
+ static xmlSchemaPtr gParsedSchemas = NULL;
+ static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
+
+@@ -369,6 +370,10 @@ LoadPrefs(void)
+ VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
+ Log("%s: Allowing %d of clock skew for SAML date validation\n",
+ __FUNCTION__, gClockSkewAdjustment);
++ gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
++ VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
++ VGAUTH_PREF_GROUP_NAME_SERVICE,
++ FALSE);
+ }
+
+
+@@ -1697,6 +1702,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText,
+ return VGAUTH_E_AUTHENTICATION_DENIED;
+ }
+
++ if (!gAllowUnrelatedCerts) {
++ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
++ if (err != VGAUTH_E_OK) {
++ VMXLog_Log(VMXLOG_LEVEL_WARNING,
++ "Unrelated certs found in SAML token, failing\n");
++ return VGAUTH_E_AUTHENTICATION_DENIED;
++ }
++ }
++
+ subj.type = SUBJECT_TYPE_NAMED;
+ subj.name = *subjNameOut;
+ err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
+--
+2.6.2
+
diff --git a/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch b/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
new file mode 100644
index 0000000000000..2a667aa08bd0e
--- /dev/null
+++ b/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
@@ -0,0 +1,182 @@
+From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Wed, 18 Oct 2023 09:11:54 -0700
+Subject: [PATCH] Address CVE-2023-34059
+
+Fix file descriptor vulnerability in the open-vm-tools
+ vmware-user-suid-wrapper on Linux.
+ - Moving the privilege drop logic (dropping privilege to the real uid
+ and gid of the process for the vmusr service) from suidWrapper to
+ vmtoolsd code.
+
+---
+ open-vm-tools/services/vmtoolsd/mainPosix.c | 76 +++++++++++++++++++++++++++
+ open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++-------
+ 2 files changed, 79 insertions(+), 23 deletions(-)
+
+diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
+index fd2667c..8b46979 100644
+--- a/open-vm-tools/services/vmtoolsd/mainPosix.c
++++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
+@@ -28,10 +28,12 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <glib/gstdio.h>
+ #include "file.h"
+ #include "guestApp.h"
+ #include "hostinfo.h"
++#include "su.h"
+ #include "system.h"
+ #include "unicode.h"
+ #include "util.h"
+@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
+
+
+ /**
++ * Tools function to set close-on-exec flg for the fd.
++ *
++ * @param[in] fd open file descriptor.
++ *
++ * @return TRUE on success, FALSE otherwise.
++ */
++
++static gboolean
++ToolsSetCloexecFlag(int fd)
++{
++ int flags;
++
++ if (fd == -1) {
++ /* fd is not present, no need to manipulate */
++ return TRUE;
++ }
++
++ flags = fcntl(fd, F_GETFD, 0);
++ if (flags < 0) {
++ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) < 0) {
++ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++
++/**
++ * Tools function to close the fds.
++ */
++
++static void
++ToolsCloseFds(void)
++{
++ if (gState.ctx.blockFD != -1) {
++ close(gState.ctx.blockFD);
++ }
++
++ /*
++ * uinputFD will be available only for wayland.
++ */
++ if (gState.ctx.uinputFD != -1) {
++ close(gState.ctx.uinputFD);
++ }
++}
++
++
++/**
+ * Tools daemon entry function.
+ *
+ * @param[in] argc Argument count.
+@@ -210,6 +265,27 @@ main(int argc,
+ g_free(argvCopy);
+ argvCopy = NULL;
+
++ /*
++ * Drops privilege to the real uid and gid of the process
++ * for the "vmusr" service.
++ */
++ if (TOOLS_IS_USER_SERVICE(&gState)) {
++ uid_t uid = getuid();
++ gid_t gid = getgid();
++
++ if ((Id_SetREUid(uid, uid) != 0) ||
++ (Id_SetREGid(gid, gid) != 0)) {
++ g_printerr("could not drop privileges: %s", strerror(errno));
++ ToolsCloseFds();
++ goto exit;
++ }
++ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
++ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
++ ToolsCloseFds();
++ goto exit;
++ }
++ }
++
+ if (gState.pidFile != NULL) {
+ /*
+ * If argv[0] is not an absolute path, make it so; all other path
+diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
+index e9d7e50..a19af53 100644
+--- a/open-vm-tools/vmware-user-suid-wrapper/main.c
++++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
+@@ -156,8 +156,7 @@ MaskSignals(void)
+ *
+ * Obtains the library directory from the Tools locations database, then
+ * opens a file descriptor (while still root) to add and remove blocks,
+- * drops privilege to the real uid of this process, and finally starts
+- * vmware-user.
++ * and finally starts vmware-user.
+ *
+ * Results:
+ * Parent: TRUE on success, FALSE on failure.
+@@ -173,8 +172,6 @@ static Bool
+ StartVMwareUser(char *const envp[])
+ {
+ pid_t pid;
+- uid_t uid;
+- gid_t gid;
+ int blockFd = -1;
+ char blockFdStr[8];
+ int uinputFd = -1;
+@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
+ }
+
+ /*
+- * Now create a child process, obtain a file descriptor as root, downgrade
+- * privilege, and run vmware-user.
++ * Now create a child process, obtain a file descriptor as root and
++ * run vmware-user.
+ */
+ pid = fork();
+ if (pid == -1) {
+@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
+ }
+ }
+
+- uid = getuid();
+- gid = getgid();
+-
+- if ((setreuid(uid, uid) != 0) ||
+- (setregid(gid, gid) != 0)) {
+- Error("could not drop privileges: %s\n", strerror(errno));
+- if (blockFd != -1) {
+- close(blockFd);
+- }
+- if (useWayland) {
+- if (uinputFd != -1) {
+- close(uinputFd);
+- }
+- }
+- return FALSE;
+- }
+-
+ /*
+ * Since vmware-user provides features that don't depend on vmblock, we
+ * invoke vmware-user even if we couldn't obtain a file descriptor or we
+--
+2.6.2
+
diff --git a/srcpkgs/open-vm-tools/template b/srcpkgs/open-vm-tools/template
index cd507b729bf6b..c72ade7f06e16 100644
--- a/srcpkgs/open-vm-tools/template
+++ b/srcpkgs/open-vm-tools/template
@@ -1,7 +1,7 @@
# Template file for 'open-vm-tools'
pkgname=open-vm-tools
version=12.3.0
-revision=1
+revision=2
archs="x86_64* i686* aarch64*"
build_wrksrc="open-vm-tools"
build_style=gnu-configure
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Updated] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
2023-10-27 13:44 [PR PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059 Piraty
@ 2023-10-27 13:54 ` Piraty
2023-10-27 14:01 ` [PR PATCH] [Merged]: " Piraty
1 sibling, 0 replies; 3+ messages in thread
From: Piraty @ 2023-10-27 13:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 484 bytes --]
There is an updated pull request by Piraty against master on the void-packages repository
https://github.com/Piraty/void-packages open-vm-tools-CVE-2023-34059
https://github.com/void-linux/void-packages/pull/46932
open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2
A patch file from https://github.com/void-linux/void-packages/pull/46932.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-open-vm-tools-CVE-2023-34059-46932.patch --]
[-- Type: text/x-diff, Size: 14721 bytes --]
From f6a30da552e3099a5b6d1cfdd4b8cae82726122f Mon Sep 17 00:00:00 2001
From: Piraty <mail@piraty.dev>
Date: Fri, 27 Oct 2023 15:43:00 +0200
Subject: [PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2
---
.../patches/CVE-2023-34058.patch | 237 ++++++++++++++++++
.../patches/CVE-2023-34059.patch | 182 ++++++++++++++
srcpkgs/open-vm-tools/template | 2 +-
3 files changed, 420 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
create mode 100644 srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
diff --git a/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch b/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
new file mode 100644
index 0000000000000..0fc34d714908c
--- /dev/null
+++ b/srcpkgs/open-vm-tools/patches/CVE-2023-34058.patch
@@ -0,0 +1,237 @@
+From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Wed, 18 Oct 2023 09:04:07 -0700
+Subject: [PATCH] Address CVE-2023-34058
+
+VGAuth: don't accept tokens with unrelated certs.
+
+---
+ open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++++++++
+ open-vm-tools/vgauth/common/certverify.h | 4 +
+ open-vm-tools/vgauth/common/prefs.h | 2 +
+ open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++
+ 4 files changed, 165 insertions(+)
+
+diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c
+index 0ed78ed..e1d7cc6 100644
+--- a/open-vm-tools/vgauth/common/certverify.c
++++ b/open-vm-tools/vgauth/common/certverify.c
+@@ -914,3 +914,148 @@ done:
+
+ return err;
+ }
++
++
++/*
++ * Finds a cert with a subject (if checkSubj is set) or issuer (if
++ * checkSUbj is unset), matching 'val' in the list
++ * of certs. Returns a match or NULL.
++ */
++
++static X509 *
++FindCert(GList *cList,
++ X509_NAME *val,
++ int checkSubj)
++{
++ GList *l;
++ X509 *c;
++ X509_NAME *v;
++
++ l = cList;
++ while (l != NULL) {
++ c = (X509 *) l->data;
++ if (checkSubj) {
++ v = X509_get_subject_name(c);
++ } else {
++ v = X509_get_issuer_name(c);
++ }
++ if (X509_NAME_cmp(val, v) == 0) {
++ return c;
++ }
++ l = l->next;
++ }
++ return NULL;
++}
++
++
++/*
++ ******************************************************************************
++ * CertVerify_CheckForUnrelatedCerts -- */ /**
++ *
++ * Looks over a list of certs. If it finds that they are not all
++ * part of the same chain, returns failure.
++ *
++ * @param[in] numCerts The number of certs in the chain.
++ * @param[in] pemCerts The chain of certificates to verify.
++ *
++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
++ *
++ ******************************************************************************
++ */
++
++VGAuthError
++CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts)
++{
++ VGAuthError err = VGAUTH_E_FAIL;
++ int chainLen = 0;
++ int i;
++ X509 **certs = NULL;
++ GList *rawList = NULL;
++ X509 *baseCert;
++ X509 *curCert;
++ X509_NAME *subject;
++ X509_NAME *issuer;
++
++ /* common single cert case; nothing to do */
++ if (numCerts == 1) {
++ return VGAUTH_E_OK;
++ }
++
++ /* convert all PEM to X509 objects */
++ certs = g_malloc0(numCerts * sizeof(X509 *));
++ for (i = 0; i < numCerts; i++) {
++ certs[i] = CertStringToX509(pemCerts[i]);
++ if (NULL == certs[i]) {
++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
++ goto done;
++ }
++ }
++
++ /* choose the cert to start the chain. shouldn't matter which */
++ baseCert = certs[0];
++
++ /* put the rest into a list */
++ for (i = 1; i < numCerts; i++) {
++ rawList = g_list_append(rawList, certs[i]);
++ }
++
++ /* now chase down to a leaf, looking for certs the baseCert issued */
++ subject = X509_get_subject_name(baseCert);
++ while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ subject = X509_get_subject_name(curCert);
++ }
++
++ /*
++ * walk up to the root cert, by finding a cert where the
++ * issuer equals the subject of the current
++ */
++ issuer = X509_get_issuer_name(baseCert);
++ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ issuer = X509_get_issuer_name(curCert);
++ }
++
++ /*
++ * At this point, anything on the list should be certs that are not part
++ * of the chain that includes the original 'baseCert'.
++ *
++ * For a valid token, the list should be empty.
++ */
++ chainLen = g_list_length(rawList);
++ if (chainLen != 0 ) {
++ GList *l;
++
++ g_warning("%s: %d unrelated certs found in list\n",
++ __FUNCTION__, chainLen);
++
++ /* debug helper */
++ l = rawList;
++ while (l != NULL) {
++ X509* c = (X509 *) l->data;
++ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
++
++ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
++ free(s);
++ l = l->next;
++ }
++
++ goto done;
++ }
++
++ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__);
++ err = VGAUTH_E_OK;
++
++done:
++ g_list_free(rawList);
++ for (i = 0; i < numCerts; i++) {
++ X509_free(certs[i]);
++ }
++ g_free(certs);
++ return err;
++}
+diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h
+index d7c6410..f582bb8 100644
+--- a/open-vm-tools/vgauth/common/certverify.h
++++ b/open-vm-tools/vgauth/common/certverify.h
+@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash,
+ size_t signatureLen,
+ const unsigned char *signature);
+
++
++VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts);
++
+ gchar * CertVerify_StripPEMCert(const gchar *pemCert);
+
+ gchar * CertVerify_CertToX509String(const gchar *pemCert);
+diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
+index ff11692..87ccc9b 100644
+--- a/open-vm-tools/vgauth/common/prefs.h
++++ b/open-vm-tools/vgauth/common/prefs.h
+@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
+ #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir"
+ /** The number of seconds slack allowed in either direction in SAML token date checks. */
+ #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment"
++/** If unrelated certificates are allowed in a SAML token */
++#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts"
+
+ /** Ticket group name. */
+ #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket"
+diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+index 14cba1b..57e9316 100644
+--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -49,6 +49,7 @@
+ #include "vmxlog.h"
+
+ static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
++static gboolean gAllowUnrelatedCerts = FALSE;
+ static xmlSchemaPtr gParsedSchemas = NULL;
+ static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
+
+@@ -369,6 +370,10 @@ LoadPrefs(void)
+ VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
+ Log("%s: Allowing %d of clock skew for SAML date validation\n",
+ __FUNCTION__, gClockSkewAdjustment);
++ gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
++ VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
++ VGAUTH_PREF_GROUP_NAME_SERVICE,
++ FALSE);
+ }
+
+
+@@ -1697,6 +1702,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText,
+ return VGAUTH_E_AUTHENTICATION_DENIED;
+ }
+
++ if (!gAllowUnrelatedCerts) {
++ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
++ if (err != VGAUTH_E_OK) {
++ VMXLog_Log(VMXLOG_LEVEL_WARNING,
++ "Unrelated certs found in SAML token, failing\n");
++ return VGAUTH_E_AUTHENTICATION_DENIED;
++ }
++ }
++
+ subj.type = SUBJECT_TYPE_NAMED;
+ subj.name = *subjNameOut;
+ err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
+--
+2.6.2
+
diff --git a/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch b/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
new file mode 100644
index 0000000000000..2a667aa08bd0e
--- /dev/null
+++ b/srcpkgs/open-vm-tools/patches/CVE-2023-34059.patch
@@ -0,0 +1,182 @@
+From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Wed, 18 Oct 2023 09:11:54 -0700
+Subject: [PATCH] Address CVE-2023-34059
+
+Fix file descriptor vulnerability in the open-vm-tools
+ vmware-user-suid-wrapper on Linux.
+ - Moving the privilege drop logic (dropping privilege to the real uid
+ and gid of the process for the vmusr service) from suidWrapper to
+ vmtoolsd code.
+
+---
+ open-vm-tools/services/vmtoolsd/mainPosix.c | 76 +++++++++++++++++++++++++++
+ open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++-------
+ 2 files changed, 79 insertions(+), 23 deletions(-)
+
+diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
+index fd2667c..8b46979 100644
+--- a/open-vm-tools/services/vmtoolsd/mainPosix.c
++++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
+@@ -28,10 +28,12 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <glib/gstdio.h>
+ #include "file.h"
+ #include "guestApp.h"
+ #include "hostinfo.h"
++#include "su.h"
+ #include "system.h"
+ #include "unicode.h"
+ #include "util.h"
+@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
+
+
+ /**
++ * Tools function to set close-on-exec flg for the fd.
++ *
++ * @param[in] fd open file descriptor.
++ *
++ * @return TRUE on success, FALSE otherwise.
++ */
++
++static gboolean
++ToolsSetCloexecFlag(int fd)
++{
++ int flags;
++
++ if (fd == -1) {
++ /* fd is not present, no need to manipulate */
++ return TRUE;
++ }
++
++ flags = fcntl(fd, F_GETFD, 0);
++ if (flags < 0) {
++ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) < 0) {
++ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++
++/**
++ * Tools function to close the fds.
++ */
++
++static void
++ToolsCloseFds(void)
++{
++ if (gState.ctx.blockFD != -1) {
++ close(gState.ctx.blockFD);
++ }
++
++ /*
++ * uinputFD will be available only for wayland.
++ */
++ if (gState.ctx.uinputFD != -1) {
++ close(gState.ctx.uinputFD);
++ }
++}
++
++
++/**
+ * Tools daemon entry function.
+ *
+ * @param[in] argc Argument count.
+@@ -210,6 +265,27 @@ main(int argc,
+ g_free(argvCopy);
+ argvCopy = NULL;
+
++ /*
++ * Drops privilege to the real uid and gid of the process
++ * for the "vmusr" service.
++ */
++ if (TOOLS_IS_USER_SERVICE(&gState)) {
++ uid_t uid = getuid();
++ gid_t gid = getgid();
++
++ if ((Id_SetREUid(uid, uid) != 0) ||
++ (Id_SetREGid(gid, gid) != 0)) {
++ g_printerr("could not drop privileges: %s", strerror(errno));
++ ToolsCloseFds();
++ goto exit;
++ }
++ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
++ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
++ ToolsCloseFds();
++ goto exit;
++ }
++ }
++
+ if (gState.pidFile != NULL) {
+ /*
+ * If argv[0] is not an absolute path, make it so; all other path
+diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
+index e9d7e50..a19af53 100644
+--- a/open-vm-tools/vmware-user-suid-wrapper/main.c
++++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
+@@ -156,8 +156,7 @@ MaskSignals(void)
+ *
+ * Obtains the library directory from the Tools locations database, then
+ * opens a file descriptor (while still root) to add and remove blocks,
+- * drops privilege to the real uid of this process, and finally starts
+- * vmware-user.
++ * and finally starts vmware-user.
+ *
+ * Results:
+ * Parent: TRUE on success, FALSE on failure.
+@@ -173,8 +172,6 @@ static Bool
+ StartVMwareUser(char *const envp[])
+ {
+ pid_t pid;
+- uid_t uid;
+- gid_t gid;
+ int blockFd = -1;
+ char blockFdStr[8];
+ int uinputFd = -1;
+@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
+ }
+
+ /*
+- * Now create a child process, obtain a file descriptor as root, downgrade
+- * privilege, and run vmware-user.
++ * Now create a child process, obtain a file descriptor as root and
++ * run vmware-user.
+ */
+ pid = fork();
+ if (pid == -1) {
+@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
+ }
+ }
+
+- uid = getuid();
+- gid = getgid();
+-
+- if ((setreuid(uid, uid) != 0) ||
+- (setregid(gid, gid) != 0)) {
+- Error("could not drop privileges: %s\n", strerror(errno));
+- if (blockFd != -1) {
+- close(blockFd);
+- }
+- if (useWayland) {
+- if (uinputFd != -1) {
+- close(uinputFd);
+- }
+- }
+- return FALSE;
+- }
+-
+ /*
+ * Since vmware-user provides features that don't depend on vmblock, we
+ * invoke vmware-user even if we couldn't obtain a file descriptor or we
+--
+2.6.2
+
diff --git a/srcpkgs/open-vm-tools/template b/srcpkgs/open-vm-tools/template
index cd507b729bf6b..c72ade7f06e16 100644
--- a/srcpkgs/open-vm-tools/template
+++ b/srcpkgs/open-vm-tools/template
@@ -1,7 +1,7 @@
# Template file for 'open-vm-tools'
pkgname=open-vm-tools
version=12.3.0
-revision=1
+revision=2
archs="x86_64* i686* aarch64*"
build_wrksrc="open-vm-tools"
build_style=gnu-configure
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Merged]: open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
2023-10-27 13:44 [PR PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059 Piraty
2023-10-27 13:54 ` [PR PATCH] [Updated] " Piraty
@ 2023-10-27 14:01 ` Piraty
1 sibling, 0 replies; 3+ messages in thread
From: Piraty @ 2023-10-27 14:01 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 309 bytes --]
There's a merged pull request on the void-packages repository
open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059
https://github.com/void-linux/void-packages/pull/46932
Description:
https://www.openwall.com/lists/oss-security/2023/10/27/1
https://www.openwall.com/lists/oss-security/2023/10/27/2
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-27 14:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-27 13:44 [PR PATCH] open-vm-tools: add patch for CVE-2023-34058, CVE-2023-34059 Piraty
2023-10-27 13:54 ` [PR PATCH] [Updated] " Piraty
2023-10-27 14:01 ` [PR PATCH] [Merged]: " Piraty
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).