From c7bda16b4de9b61049f1f6b332aa25c718835f19 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 7 Sep 2023 02:27:50 -0400
Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token
signature.
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-Jira: RHEL-2413
RH-CVE: CVE-2023-20900
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index 2906d293..57db3b88 100644
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc,
*/
bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
if (bRet == FALSE) {
- g_warning("failed to register ID\n");
+ g_warning("Failed to register ID\n");
+ goto done;
+ }
+
+ /* Use only X509 certs to validate the signature */
+ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
+ BAD_CAST xmlSecKeyDataX509Id) < 0) {
+ g_warning("Failed to limit allowed key data\n");
goto done;
}
--
2.39.3