diff --git a/SOURCES/ovt-Remove-some-dead-code.patch b/SOURCES/ovt-Remove-some-dead-code.patch
new file mode 100644
index 0000000..4370eae
--- /dev/null
+++ b/SOURCES/ovt-Remove-some-dead-code.patch
@@ -0,0 +1,168 @@
+From 626402d0e29e816e46fea97797c02c6264997a6f Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 20:15:01 -0700
+Subject: [PATCH] Remove some dead code.
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 22: Remove some dead code.
+RH-Bugzilla: 2215562
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Cathy Avery <cavery@redhat.com>
+RH-Commit: [1/1] f1963d6d390d5f10d827fb3f1057123bb32dda53
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+
+cherry-picked from
+https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code-1100-1105.patch
+
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
+index c40ad15a..d9b947f6 100644
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -228,8 +228,6 @@ char *gImpersonatedUsername = NULL;
+ #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
+ #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
+
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
+-
+ /*
+ * The switch that controls all APIs
+ */
+@@ -704,9 +702,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
+
+ void GuestAuthUnimpersonate();
+
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+- const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -7845,29 +7840,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
+ userToken);
+ break;
+ }
+- case VIX_USER_CREDENTIAL_ROOT:
+- {
+- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+- /*
+- * Don't accept hashed shared secret if disabled.
+- */
+- g_message("%s: Requested authentication type has been disabled.\n",
+- __FUNCTION__);
+- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+- goto done;
+- }
+- }
+- // fall through
+-
+- case VIX_USER_CREDENTIAL_CONSOLE_USER:
+- err = VixToolsImpersonateUserImplEx(NULL,
+- credentialType,
+- NULL,
+- loadUserProfile,
+- userToken);
+- break;
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+ case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8036,36 +8008,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
+ }
+ }
+
+- /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- */
+- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+- && (thisProcessRunsAsRoot)) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+- err = VIX_OK;
+- goto abort;
+- }
+-
+- /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- *
+- * XXX This has been deprecated XXX
+- */
+- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+- err = VIX_OK;
+- goto abort;
+- }
+-
+ /*
+ * If the VMX asks us to run commands in the context of the current
+ * user, make sure that the user who requested the command is the
+@@ -10755,50 +10697,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
+ }
+
+
+-/*
+- *-----------------------------------------------------------------------------
+- *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- * Checks to see if a given authentication type has been
+- * disabled via the tools configuration.
+- *
+- * Return value:
+- * TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- * None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
+- const char *typeName) // IN
+-{
+- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+- gboolean disabled;
+-
+- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+- typeName);
+-
+- ASSERT(confDictRef != NULL);
+-
+- /*
+- * XXX Skip doing the strcmp() to verify the auth type since we only
+- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+- */
+- disabled = VixTools_ConfigGetBoolean(confDictRef,
+- VIX_TOOLS_CONFIG_API_GROUPNAME,
+- authnDisabledName,
+- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+- return !disabled;
+-}
+-
+-
+ /*
+ *-----------------------------------------------------------------------------
+ *
+--
+2.37.3
+
diff --git a/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch b/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch
new file mode 100644
index 0000000..31628a1
--- /dev/null
+++ b/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch
@@ -0,0 +1,218 @@
+From 88826c7f64f3180711943b5311c4414d4b1dc1d1 Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Jan 2023 19:08:33 -0800
+Subject: [PATCH] Track Linux filesystem id (FSID) for quiesced (frozen)
+ filesystems
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 14: Track Linux filesystem id (FSID) for quiesced (frozen) filesystems
+RH-Bugzilla: 1880404 1994590
+RH-Acked-by: Cathy Avery <cavery@redhat.com>
+RH-Commit: [1/1] c4ed73561eba36e7112cf96384f0c28f28489934
+
+Tracking the filesystem FSID along with each file descriptor (FD)
+as the ioctl FIFREEZE is done. An EBUSY could be seen because of
+an attempt to freeze the same superblock more than once depending
+on the OS configuration (e.g. usage of bind mounts). An EBUSY could
+also mean another process has locked or frozen that filesystem.
+
+When an EBUSY is received, the filesyste FSID is checked against the
+list of filesystems that have already be quiesced. If not previously
+seen, a warning that the filesystem is controlled by another process
+is logged and the quiesced snapshot request will be rejected.
+
+(cherry picked from commit 9d458c53a7a656d4d1ba3a28d090cce82ac4af0e)
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+---
+ .../lib/syncDriver/syncDriverLinux.c | 112 +++++++++++++++---
+ 1 file changed, 96 insertions(+), 16 deletions(-)
+
+diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+index eef65a2e..6d9a3568 100644
+--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c
++++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2018 VMware, Inc. All rights reserved.
++ * Copyright (C) 2011-2018, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -32,6 +32,7 @@
+ #include <sys/ioctl.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <sys/statfs.h>
+ #include "debug.h"
+ #include "dynbuf.h"
+ #include "syncDriverInt.h"
+@@ -43,12 +44,53 @@
+ #endif
+
+
++
++typedef struct LinuxFsInfo {
++ int fd;
++ fsid_t fsid;
++} LinuxFsInfo;
++
+ typedef struct LinuxDriver {
+ SyncHandle driver;
+ size_t fdCnt;
+- int *fds;
++ LinuxFsInfo *fds;
+ } LinuxDriver;
+
++static
++const fsid_t MISSING_FSID = {};
++
++
++/*
++ *******************************************************************************
++ * LinuxFiFsIdMatch --
++ *
++ * Check the collection of filesystems previously frozen for the specific
++ * FSID.
++ *
++ * @param[in] fds List of LinuxFsInfo data for filesystems previously
++ * frozen.
++ * @param[in] count Number of fds in the list.
++ * @param[in] nfsid The Filesystem ID of interest.
++ *
++ * @return TRUE if the FSID matches one previously processed. Otherwise FALSE
++ *
++ *******************************************************************************
++ */
++
++static Bool
++LinuxFiFsIdMatch(const LinuxFsInfo *fds,
++ const size_t count,
++ const fsid_t *nfsid) {
++ size_t i;
++
++ for (i = 0; i < count; i++) {
++ if (fds[i].fsid.__val[0] == nfsid->__val[0] &&
++ fds[i].fsid.__val[1] == nfsid->__val[1]) {
++ return TRUE;
++ }
++ }
++ return FALSE;
++}
+
+ /*
+ *******************************************************************************
+@@ -75,9 +117,11 @@ LinuxFiThaw(const SyncDriverHandle handle)
+ * Thaw in the reverse order of freeze
+ */
+ for (i = sync->fdCnt; i > 0; i--) {
+- Debug(LGPFX "Thawing fd=%d.\n", sync->fds[i-1]);
+- if (ioctl(sync->fds[i-1], FITHAW) == -1) {
+- Debug(LGPFX "Thaw failed for fd=%d.\n", sync->fds[i-1]);
++ int fd = sync->fds[i-1].fd;
++
++ Debug(LGPFX "Thawing fd=%d.\n", fd);
++ if (ioctl(fd, FITHAW) == -1) {
++ Debug(LGPFX "Thaw failed for fd=%d.\n", fd);
+ err = SD_ERROR;
+ }
+ }
+@@ -108,8 +152,10 @@ LinuxFiClose(SyncDriverHandle handle)
+ * Close in the reverse order of open
+ */
+ for (i = sync->fdCnt; i > 0; i--) {
+- Debug(LGPFX "Closing fd=%d.\n", sync->fds[i-1]);
+- close(sync->fds[i-1]);
++ int fd = sync->fds[i-1].fd;
++
++ Debug(LGPFX "Closing fd=%d.\n", fd);
++ close(fd);
+ }
+ free(sync->fds);
+ free(sync);
+@@ -196,8 +242,11 @@ LinuxDriver_Freeze(const GSList *paths,
+ */
+ while (paths != NULL) {
+ int fd;
++ LinuxFsInfo fsInfo;
+ struct stat sbuf;
++ struct statfs fsbuf;
+ const char *path = paths->data;
++
+ Debug(LGPFX "opening path '%s'.\n", path);
+ paths = g_slist_next(paths);
+ fd = open(path, O_RDONLY);
+@@ -258,23 +307,53 @@ LinuxDriver_Freeze(const GSList *paths,
+ continue;
+ }
+
++ if (fstatfs(fd, &fsbuf) == 0) {
++ fsInfo.fsid = fsbuf.f_fsid;
++ } else {
++ Debug(LGPFX "failed to get file system id for path '%s'.\n", path);
++ fsInfo.fsid = MISSING_FSID;
++ }
+ Debug(LGPFX "freezing path '%s' (fd=%d).\n", path, fd);
+ if (ioctl(fd, FIFREEZE) == -1) {
+ int ioctlerr = errno;
++
++ close(fd);
++ Debug(LGPFX "freeze on '%s' returned: %d (%s)\n",
++ path, ioctlerr, strerror(ioctlerr));
++ /*
++ * Previously, an EBUSY error was ignored, assuming that we may try
++ * to freeze the same superblock more than once depending on the
++ * OS configuration (e.g., usage of bind mounts).
++ * Using the filesystem Id to check if this is a filesystem that we
++ * have seen previously and will ignore this FD only if that is
++ * the case. Log a warning otherwise since the quiesced snapshot
++ * attempt will fail.
++ */
++ if (ioctlerr == EBUSY) {
++ if (LinuxFiFsIdMatch(DynBuf_Get(&fds),
++ DynBuf_GetSize(&fds),
++ &fsInfo.fsid)) {
++ /*
++ * We have previous knowledge of this file system by another
++ * mount point. Safe to ignore.
++ */
++ Debug(LGPFX "skipping path '%s' - previously frozen", path);
++ continue;
++ }
++ /*
++ * It appears that this FS has been locked or frozen by another
++ * process. We cannot proceed with the quiesced snapshot request.
++ */
++ Warning(LGPFX "'%s' appears locked or frozen by another process. "
++ "Cannot complete the quiesced snapshot request.\n", path);
++ }
+ /*
+ * If the ioctl does not exist, Linux will return ENOTTY. If it's not
+ * supported on the device, we get EOPNOTSUPP. Ignore the latter,
+ * since freezing does not make sense for all fs types, and some
+ * Linux fs drivers may not have been hooked up in the running kernel.
+- *
+- * Also ignore EBUSY since we may try to freeze the same superblock
+- * more than once depending on the OS configuration (e.g., usage of
+- * bind mounts).
+ */
+- close(fd);
+- Debug(LGPFX "freeze on '%s' returned: %d (%s)\n",
+- path, ioctlerr, strerror(ioctlerr));
+- if (ioctlerr != EBUSY && ioctlerr != EOPNOTSUPP) {
++ if (ioctlerr != EOPNOTSUPP) {
+ Debug(LGPFX "failed to freeze '%s': %d (%s)\n",
+ path, ioctlerr, strerror(ioctlerr));
+ err = first && ioctlerr == ENOTTY ? SD_UNAVAILABLE : SD_ERROR;
+@@ -282,7 +361,8 @@ LinuxDriver_Freeze(const GSList *paths,
+ }
+ } else {
+ Debug(LGPFX "successfully froze '%s' (fd=%d).\n", path, fd);
+- if (!DynBuf_Append(&fds, &fd, sizeof fd)) {
++ fsInfo.fd = fd;
++ if (!DynBuf_Append(&fds, &fsInfo, sizeof fsInfo)) {
+ if (ioctl(fd, FITHAW) == -1) {
+ Warning(LGPFX "failed to thaw '%s': %d (%s)\n",
+ path, errno, strerror(errno));
+--
+2.39.1
+
diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec
index fee2dcd..aaa49c5 100644
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@@ -28,7 +28,7 @@
Name: open-vm-tools
Version: %{toolsversion}
-Release: 3%{?dist}.4
+Release: 3%{?dist}.6
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
Group: Applications/System
License: GPLv2
@@ -40,7 +40,7 @@ Source3: run-vmblock\x2dfuse.mount
Source4: open-vm-tools.conf
Source5: vmtoolsd.pam
-ExclusiveArch: x86_64 %{ix86}
+ExclusiveArch: x86_64
Patch0002: 0002-Fix-RELRO-flag.patch
# For bz#1809753 - [ESXi][RHEL7.9]open-vm-tools add appinfo plugin patch
@@ -55,6 +55,11 @@ Patch6: ovt-Rectify-a-log-spew-in-vmsvc-logging-vmware-vmsvc-roo.patch
Patch7: ovt-Fix-memory-leaks-in-guestInfo-diskInfo.c.patch
# For bz#2119310 - CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine [rhel-7.9.z]
Patch8: ovt-Properly-check-authorization-on-incoming-guestOps-re.patch
+# For bz#1880404 - [ESXi] [RHEL7] vmtoolsd task is blocked in the uninterruptible state while attempting to delete (unlink) the file 'quiesce_manifest.xml'
+# For bz#1994590 - [ESXi][RHEL7.9][open-vm-tools] Snapshot of the RHEL7 guest on the VMWare ESXi hypervisor failed vm hangs
+Patch9: ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch
+# For bz#2215562 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-7]
+Patch10: ovt-Remove-some-dead-code.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -335,6 +340,18 @@ fi
%{_bindir}/vmware-vgauth-smoketest
%changelog
+* Mon Jun 26 2023 Jon Maloy <jmaloy@redhat.com> - 11.0.5-3.el7_9.6
+- ovt-Remove-some-dead-code.patch [bz#2215562]
+- Resolves: bz#2215562
+ ([CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-7])
+
+* Wed May 24 2023 Miroslav Rezanina <mrezanin@redhat.com> - 11.0.5-3.el7_9.5
+- ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch [bz#1880404 bz#1994590]
+- Resolves: bz#1880404
+ ([ESXi] [RHEL7] vmtoolsd task is blocked in the uninterruptible state while attempting to delete (unlink) the file 'quiesce_manifest.xml')
+- Resolves: bz#1994590
+ ([ESXi][RHEL7.9][open-vm-tools] Snapshot of the RHEL7 guest on the VMWare ESXi hypervisor failed vm hangs)
+
* Fri Sep 02 2022 Jon Maloy <jmaloy@redhat.com> - 11.0.5-3.el7_9.4
- ovt-Properly-check-authorization-on-incoming-guestOps-re.patch [bz#2119310]
- Resolves: bz#2119310