From c7bda16b4de9b61049f1f6b332aa25c718835f19 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 7 Sep 2023 02:27:50 -0400
Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token
 signature.

RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-Jira: RHEL-2413
RH-CVE: CVE-2023-20900

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index 2906d293..57db3b88 100644
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc,
     */
    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
    if (bRet == FALSE) {
-      g_warning("failed to register ID\n");
+      g_warning("Failed to register ID\n");
+      goto done;
+   }
+
+   /* Use only X509 certs to validate the signature */
+   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
+                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
+      g_warning("Failed to limit allowed key data\n");
       goto done;
    }
 
-- 
2.39.3