rpms / open-vm-tools

Clone
Source Code
GIT

Blame SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   2ea81749a35619ced8bb97d9294036ad66934b17
  2.   SOURCES
  3.   ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
Blob History Raw
2ea817 
From c7bda16b4de9b61049f1f6b332aa25c718835f19 Mon Sep 17 00:00:00 2001
2ea817 
From: Miroslav Rezanina <mrezanin@redhat.com>
2ea817 
Date: Thu, 7 Sep 2023 02:27:50 -0400
2ea817 
Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token
2ea817 
 signature.
2ea817
2ea817 
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
2ea817 
RH-Jira: RHEL-2413
2ea817 
RH-CVE: CVE-2023-20900
2ea817
2ea817 
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
2ea817 
---
2ea817 
 open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
2ea817 
 1 file changed, 8 insertions(+), 1 deletion(-)
2ea817
2ea817 
diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
2ea817 
index 2906d293..57db3b88 100644
2ea817 
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
2ea817 
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
2ea817 
@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc,
2ea817 
     */
2ea817 
    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
2ea817 
    if (bRet == FALSE) {
2ea817 
-      g_warning("failed to register ID\n");
2ea817 
+      g_warning("Failed to register ID\n");
2ea817 
+      goto done;
2ea817 
+   }
2ea817 
+
2ea817 
+   /* Use only X509 certs to validate the signature */
2ea817 
+   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
2ea817 
+                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
2ea817 
+      g_warning("Failed to limit allowed key data\n");
2ea817 
       goto done;
2ea817 
    }
2ea817
2ea817 
--
2ea817 
2.39.3
2ea817

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation