diff options
| author | Priyal Doshi <pdoshi@mvista.com> | 2023-09-22 15:40:30 +0530 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-09-30 08:54:36 -0400 |
| commit | 2f4f70a7033b258bfa0a2732601c29d6fee7e9d7 (patch) | |
| tree | 2c1a57aa12f1de492072d080bde1efd7a28b20e5 | |
| parent | 56f851346499278f58677b489296b383260a6948 (diff) | |
| download | meta-openembedded-2f4f70a7033b258bfa0a2732601c29d6fee7e9d7.tar.gz | |
open-vm-tools: Security fix for CVE-2023-20900
Backport-from: https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch new file mode 100644 index 000000000..38daa0581 --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From 7f3cced1e140ed36c6f8f66d7f4098323b0463b2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Katy Feng <fkaty@vmware.com> | ||
| 3 | Date: Fri, 25 Aug 2023 11:58:48 -0700 | ||
| 4 | Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. | ||
| 5 | |||
| 6 | Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 | ||
| 7 | CVE: CVE-2023-20900 | ||
| 8 | Signed-off-by: Priyal Doshi <pdoshi@mvista.com> | ||
| 9 | --- | ||
| 10 | open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- | ||
| 11 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
| 12 | |||
| 13 | diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 14 | index 2906d29..57db3b8 100644 | ||
| 15 | --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 16 | +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | ||
| 17 | @@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc, | ||
| 18 | */ | ||
| 19 | bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); | ||
| 20 | if (bRet == FALSE) { | ||
| 21 | - g_warning("failed to register ID\n"); | ||
| 22 | + g_warning("Failed to register ID\n"); | ||
| 23 | + goto done; | ||
| 24 | + } | ||
| 25 | + | ||
| 26 | + /* Use only X509 certs to validate the signature */ | ||
| 27 | + if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), | ||
| 28 | + BAD_CAST xmlSecKeyDataX509Id) < 0) { | ||
| 29 | + g_warning("Failed to limit allowed key data\n"); | ||
| 30 | goto done; | ||
| 31 | } | ||
| 32 | |||
| 33 | -- | ||
| 34 | 2.7.4 | ||
| 35 | |||
diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb index 9a1b3f4c8..e3b15e35b 100644 --- a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb | |||
| @@ -44,6 +44,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste | |||
| 44 | file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ | 44 | file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ |
| 45 | file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ | 45 | file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ |
| 46 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ | 46 | file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ |
| 47 | file://0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch;patchdir=.. \ | ||
| 47 | " | 48 | " |
| 48 | 49 | ||
| 49 | SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" | 50 | SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" |