diff --git a/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch new file mode 100644 index 0000000..7eac9d9 --- /dev/null +++ b/SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch @@ -0,0 +1,38 @@ +From c7bda16b4de9b61049f1f6b332aa25c718835f19 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 7 Sep 2023 02:27:50 -0400 +Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token + signature. + +RH-Author: Miroslav Rezanina +RH-Jira: RHEL-2413 +RH-CVE: CVE-2023-20900 + +Signed-off-by: Miroslav Rezanina +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index 2906d293..57db3b88 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.39.3 + diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index 57d1c74..4b6f454 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -28,7 +28,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist}.6 +Release: 3%{?dist}.7 Summary: Open Virtual Machine Tools for virtual machines hosted on VMware Group: Applications/System License: GPLv2 @@ -40,7 +40,7 @@ Source3: run-vmblock\x2dfuse.mount Source4: open-vm-tools.conf Source5: vmtoolsd.pam -ExclusiveArch: x86_64 %{ix86} +ExclusiveArch: x86_64 Patch0002: 0002-Fix-RELRO-flag.patch # For bz#1809753 - [ESXi][RHEL7.9]open-vm-tools add appinfo plugin patch @@ -60,6 +60,8 @@ Patch8: ovt-Properly-check-authorization-on-incoming-guestOps-re.patch Patch9: ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch # For bz#2215562 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-7] Patch10: ovt-Remove-some-dead-code.patch +# For RHEL-2413 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-7.9.z] +Patch11: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch BuildRequires: autoconf BuildRequires: automake @@ -340,6 +342,11 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Thu Sep 07 2023 Miroslav Rezanina - 11.0.5-3.el7_9.7 +- ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch [RHEL-2413] +- Resolves: RHEL-2413 + (CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-7.9.z]) + * Mon Jun 26 2023 Jon Maloy - 11.0.5-3.el7_9.6 - ovt-Remove-some-dead-code.patch [bz#2215562] - Resolves: bz#2215562