diff --git a/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch b/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch
new file mode 100644
index 0000000..45d8b7d
--- /dev/null
+++ b/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch
@@ -0,0 +1,267 @@
+From c1be13f4eb5b3d24a273b6c8c9ca5421dcfac87b Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Oct 2023 15:24:48 -0700
+Subject: [PATCH 1/2] Don't accept tokens with unrelated certs
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 41: Don't accept tokens with unrelated certs
+RH-Jira: RHEL-14642
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [1/1] e1be40a04b53412393050e1e6106e8edad8b1716
+
+If a SAML token has a cert that's not a part of a chain,
+fail the token as invalid.
+
+CVE-2023-34058
+(cherry picked from commit 1bfe23d728b74e08f4f65cd9b0093ca73937003a)
+---
+ open-vm-tools/vgauth/common/certverify.c | 147 +++++++++++++++++-
+ open-vm-tools/vgauth/common/certverify.h | 6 +-
+ open-vm-tools/vgauth/common/prefs.h | 4 +-
+ .../vgauth/serviceImpl/saml-xmlsec1.c | 14 ++
+ 4 files changed, 168 insertions(+), 3 deletions(-)
+
+diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c
+index db280e91..b84ebc7d 100644
+--- a/open-vm-tools/vgauth/common/certverify.c
++++ b/open-vm-tools/vgauth/common/certverify.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016,2018-2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -893,3 +893,148 @@ done:
+
+ return err;
+ }
++
++
++/*
++ * Finds a cert with a subject (if checkSubj is set) or issuer (if
++ * checkSUbj is unset), matching 'val' in the list
++ * of certs. Returns a match or NULL.
++ */
++
++static X509 *
++FindCert(GList *cList,
++ X509_NAME *val,
++ int checkSubj)
++{
++ GList *l;
++ X509 *c;
++ X509_NAME *v;
++
++ l = cList;
++ while (l != NULL) {
++ c = (X509 *) l->data;
++ if (checkSubj) {
++ v = X509_get_subject_name(c);
++ } else {
++ v = X509_get_issuer_name(c);
++ }
++ if (X509_NAME_cmp(val, v) == 0) {
++ return c;
++ }
++ l = l->next;
++ }
++ return NULL;
++}
++
++
++/*
++ ******************************************************************************
++ * CertVerify_CheckForUnrelatedCerts -- */ /**
++ *
++ * Looks over a list of certs. If it finds that they are not all
++ * part of the same chain, returns failure.
++ *
++ * @param[in] numCerts The number of certs in the chain.
++ * @param[in] pemCerts The chain of certificates to verify.
++ *
++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found.
++ *
++ ******************************************************************************
++ */
++
++VGAuthError
++CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts)
++{
++ VGAuthError err = VGAUTH_E_FAIL;
++ int chainLen = 0;
++ int i;
++ X509 **certs = NULL;
++ GList *rawList = NULL;
++ X509 *baseCert;
++ X509 *curCert;
++ X509_NAME *subject;
++ X509_NAME *issuer;
++
++ /* common single cert case; nothing to do */
++ if (numCerts == 1) {
++ return VGAUTH_E_OK;
++ }
++
++ /* convert all PEM to X509 objects */
++ certs = g_malloc0(numCerts * sizeof(X509 *));
++ for (i = 0; i < numCerts; i++) {
++ certs[i] = CertStringToX509(pemCerts[i]);
++ if (NULL == certs[i]) {
++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__);
++ goto done;
++ }
++ }
++
++ /* choose the cert to start the chain. shouldn't matter which */
++ baseCert = certs[0];
++
++ /* put the rest into a list */
++ for (i = 1; i < numCerts; i++) {
++ rawList = g_list_append(rawList, certs[i]);
++ }
++
++ /* now chase down to a leaf, looking for certs the baseCert issued */
++ subject = X509_get_subject_name(baseCert);
++ while ((curCert = FindCert(rawList, subject, 0)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ subject = X509_get_subject_name(curCert);
++ }
++
++ /*
++ * walk up to the root cert, by finding a cert where the
++ * issuer equals the subject of the current
++ */
++ issuer = X509_get_issuer_name(baseCert);
++ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) {
++ /* pull it from the list */
++ rawList = g_list_remove(rawList, curCert);
++ /* set up the next find */
++ issuer = X509_get_issuer_name(curCert);
++ }
++
++ /*
++ * At this point, anything on the list should be certs that are not part
++ * of the chain that includes the original 'baseCert'.
++ *
++ * For a valid token, the list should be empty.
++ */
++ chainLen = g_list_length(rawList);
++ if (chainLen != 0 ) {
++ GList *l;
++
++ g_warning("%s: %d unrelated certs found in list\n",
++ __FUNCTION__, chainLen);
++
++ /* debug helper */
++ l = rawList;
++ while (l != NULL) {
++ X509* c = (X509 *) l->data;
++ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0);
++
++ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s);
++ free(s);
++ l = l->next;
++ }
++
++ goto done;
++ }
++
++ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__);
++ err = VGAUTH_E_OK;
++
++done:
++ g_list_free(rawList);
++ for (i = 0; i < numCerts; i++) {
++ X509_free(certs[i]);
++ }
++ g_free(certs);
++ return err;
++}
+diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h
+index 3fe1bcb4..228c143c 100644
+--- a/open-vm-tools/vgauth/common/certverify.h
++++ b/open-vm-tools/vgauth/common/certverify.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
++ * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -66,6 +66,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash,
+ size_t signatureLen,
+ const unsigned char *signature);
+
++
++VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts,
++ const char **pemCerts);
++
+ gchar * CertVerify_StripPEMCert(const gchar *pemCert);
+
+ gchar * CertVerify_CertToX509String(const gchar *pemCert);
+diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
+index ff116928..6c58f3f4 100644
+--- a/open-vm-tools/vgauth/common/prefs.h
++++ b/open-vm-tools/vgauth/common/prefs.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2019 VMware, Inc. All rights reserved.
++ * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
+ #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir"
+ /** The number of seconds slack allowed in either direction in SAML token date checks. */
+ #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment"
++/** If unrelated certificates are allowed in a SAML token */
++#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts"
+
+ /** Ticket group name. */
+ #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket"
+diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+index 57db3b88..1c3e96e7 100644
+--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+@@ -47,6 +47,7 @@
+ #include "vmxlog.h"
+
+ static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
++static gboolean gAllowUnrelatedCerts = FALSE;
+ static xmlSchemaPtr gParsedSchemas = NULL;
+ static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL;
+
+@@ -313,6 +314,10 @@ LoadPrefs(void)
+ VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS);
+ Log("%s: Allowing %d of clock skew for SAML date validation\n",
+ __FUNCTION__, gClockSkewAdjustment);
++ gAllowUnrelatedCerts = Pref_GetBool(gPrefs,
++ VGAUTH_PREF_ALLOW_UNRELATED_CERTS,
++ VGAUTH_PREF_GROUP_NAME_SERVICE,
++ FALSE);
+ }
+
+
+@@ -1525,6 +1530,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText,
+ return VGAUTH_E_AUTHENTICATION_DENIED;
+ }
+
++ if (!gAllowUnrelatedCerts) {
++ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain);
++ if (err != VGAUTH_E_OK) {
++ VMXLog_Log(VMXLOG_LEVEL_WARNING,
++ "Unrelated certs found in SAML token, failing\n");
++ return VGAUTH_E_AUTHENTICATION_DENIED;
++ }
++ }
++
+ subj.type = SUBJECT_TYPE_NAMED;
+ subj.name = *subjNameOut;
+ err = ServiceVerifyAndCheckTrustCertChainForSubject(num,
+--
+2.39.3
+
diff --git a/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch b/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch
new file mode 100644
index 0000000..2ab807a
--- /dev/null
+++ b/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch
@@ -0,0 +1,209 @@
+From e79672890799f6ed4dcfb44a4346489c9f3ea6e3 Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 17 Oct 2023 15:24:48 -0700
+Subject: [PATCH 2/2] File descriptor vulnerability in the open-vm-tools
+ vmware-user-suid-wrapperx
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 52: File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx on Linux
+RH-Jira: RHEL-14676
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [1/1] c78a1d638849f1589b2f4b8ff1437b0f25bbd19c
+
+Moving the privilege drop logic (dropping privilege to the real uid and
+gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
+Now the vmtoolsd is not executed with dropped privileges (started as setuid
+program) and the dumpable attribute of the process is not reset.
+The unprivileged user will not have access to the privileged file descriptors
+in the vmtoolsd vmusr process.
+Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing
+the file descriptors being inherited any further from the vmtoolsd.
+
+CVE-2023-34059
+(cherry picked from commit 63f7c79c4aecb14d37cc4ce9da509419e31d394f)
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+---
+ open-vm-tools/services/vmtoolsd/mainPosix.c | 78 ++++++++++++++++++-
+ open-vm-tools/vmware-user-suid-wrapper/main.c | 28 +------
+ 2 files changed, 81 insertions(+), 25 deletions(-)
+
+diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
+index cfe67984..674d5bda 100644
+--- a/open-vm-tools/services/vmtoolsd/mainPosix.c
++++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -28,10 +28,12 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <glib/gstdio.h>
+ #include "file.h"
+ #include "guestApp.h"
+ #include "hostinfo.h"
++#include "su.h"
+ #include "system.h"
+ #include "unicode.h"
+ #include "util.h"
+@@ -153,6 +155,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
+ }
+
+
++/**
++ * Tools function to set close-on-exec flg for the fd.
++ *
++ * @param[in] fd open file descriptor.
++ *
++ * @return TRUE on success, FALSE otherwise.
++ */
++
++static gboolean
++ToolsSetCloexecFlag(int fd)
++{
++ int flags;
++
++ if (fd == -1) {
++ /* fd is not present, no need to manipulate */
++ return TRUE;
++ }
++
++ flags = fcntl(fd, F_GETFD, 0);
++ if (flags < 0) {
++ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) < 0) {
++ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++
++/**
++ * Tools function to close the fds.
++ */
++
++static void
++ToolsCloseFds(void)
++{
++ if (gState.ctx.blockFD != -1) {
++ close(gState.ctx.blockFD);
++ }
++
++ /*
++ * uinputFD will be available only for wayland.
++ */
++ if (gState.ctx.uinputFD != -1) {
++ close(gState.ctx.uinputFD);
++ }
++}
++
++
+ /**
+ * Tools daemon entry function.
+ *
+@@ -200,6 +255,27 @@ main(int argc,
+ g_free(argvCopy);
+ argvCopy = NULL;
+
++ /*
++ * Drops privilege to the real uid and gid of the process
++ * for the "vmusr" service.
++ */
++ if (TOOLS_IS_USER_SERVICE(&gState)) {
++ uid_t uid = getuid();
++ gid_t gid = getgid();
++
++ if ((Id_SetREUid(uid, uid) != 0) ||
++ (Id_SetREGid(gid, gid) != 0)) {
++ g_printerr("could not drop privileges: %s", strerror(errno));
++ ToolsCloseFds();
++ goto exit;
++ }
++ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
++ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
++ ToolsCloseFds();
++ goto exit;
++ }
++ }
++
+ if (gState.pidFile != NULL) {
+ /*
+ * If argv[0] is not an absolute path, make it so; all other path
+diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
+index e9d7e508..73ae9b9b 100644
+--- a/open-vm-tools/vmware-user-suid-wrapper/main.c
++++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2007-2018 VMware, Inc. All rights reserved.
++ * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -156,8 +156,7 @@ MaskSignals(void)
+ *
+ * Obtains the library directory from the Tools locations database, then
+ * opens a file descriptor (while still root) to add and remove blocks,
+- * drops privilege to the real uid of this process, and finally starts
+- * vmware-user.
++ * and finally starts vmware-user.
+ *
+ * Results:
+ * Parent: TRUE on success, FALSE on failure.
+@@ -173,8 +172,6 @@ static Bool
+ StartVMwareUser(char *const envp[])
+ {
+ pid_t pid;
+- uid_t uid;
+- gid_t gid;
+ int blockFd = -1;
+ char blockFdStr[8];
+ int uinputFd = -1;
+@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
+ }
+
+ /*
+- * Now create a child process, obtain a file descriptor as root, downgrade
+- * privilege, and run vmware-user.
++ * Now create a child process, obtain a file descriptor as root and
++ * run vmware-user.
+ */
+ pid = fork();
+ if (pid == -1) {
+@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
+ }
+ }
+
+- uid = getuid();
+- gid = getgid();
+-
+- if ((setreuid(uid, uid) != 0) ||
+- (setregid(gid, gid) != 0)) {
+- Error("could not drop privileges: %s\n", strerror(errno));
+- if (blockFd != -1) {
+- close(blockFd);
+- }
+- if (useWayland) {
+- if (uinputFd != -1) {
+- close(uinputFd);
+- }
+- }
+- return FALSE;
+- }
+-
+ /*
+ * Since vmware-user provides features that don't depend on vmblock, we
+ * invoke vmware-user even if we couldn't obtain a file descriptor or we
+--
+2.39.3
+
diff --git a/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch
new file mode 100644
index 0000000..ba2d12e
--- /dev/null
+++ b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch
@@ -0,0 +1,445 @@
+From 5b3562a9f0ea7ab11212639753cdf9064394df92 Mon Sep 17 00:00:00 2001
+From: Katy Feng <fkaty@vmware.com>
+Date: Tue, 22 Aug 2023 11:11:42 -0700
+Subject: [PATCH] Provide alternate method to allow (expected) pre-frozen
+ filesystems when taking a quiesced snapshot.
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 29: Provide alternate method to allow (expected) pre-frozen filesystems when taking a quiesced snapshot.
+RH-Bugzilla: 2226921
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [1/1] 5582a9588692896258f3711c278e97127e748f67
+
+Effective with open-vm-tools 12.2.0, Linux quiesced snapshots will fail if
+any filesystem(s) have been prefrozen by other than the vmtoolsd process.
+This has been done to assure that filesystems are inactive while the
+snapshots are being taken. Some existing prefreeze scripts may be freezing
+some filesystem(s). In these cases, the vmtoolsd process must be informed of
+anticipated pre-frozen filesystems by providing an "excludedFileSystem" list in
+the [vmbackup] section of the tools.conf file.
+
+This change provides a new switch in the tools.conf file to allow pre-frozen
+filesystems to be encountered and accepted when doing a quiesced snapshot
+operation. With the default value of "false", the "ignoreFrozenFileSystems"
+can be configured with a setting of "true" to notify the quiesced snapshot
+operation that pre-frozen filesystems are allowed.
+
+(cherry picked from commit 60c3a80ddc2b400366ed05169e16a6bed6501da2)
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+
+ Conflicts:
+ open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
+ open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
+ open-vm-tools/tools.conf
+---
+ open-vm-tools/lib/include/syncDriver.h | 5 ++--
+ open-vm-tools/lib/syncDriver/nullDriver.c | 10 ++++---
+ open-vm-tools/lib/syncDriver/syncDriverInt.h | 14 ++++++----
+ .../lib/syncDriver/syncDriverLinux.c | 25 +++++++++++++----
+ .../lib/syncDriver/syncDriverPosix.c | 7 +++--
+ open-vm-tools/lib/syncDriver/vmSyncDriver.c | 10 ++++---
+ .../services/plugins/vix/foundryToolsDaemon.c | 16 +++++++++--
+ .../services/plugins/vmbackup/stateMachine.c | 8 ++++--
+ .../services/plugins/vmbackup/syncDriverOps.c | 5 ++--
+ .../services/plugins/vmbackup/vmBackupInt.h | 19 ++++++++-----
+ open-vm-tools/tools.conf | 28 +++++++++++++++++++
+ 11 files changed, 109 insertions(+), 38 deletions(-)
+
+diff --git a/open-vm-tools/lib/include/syncDriver.h b/open-vm-tools/lib/include/syncDriver.h
+index 20712f66..8ef229d4 100644
+--- a/open-vm-tools/lib/include/syncDriver.h
++++ b/open-vm-tools/lib/include/syncDriver.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2005-2018 VMware, Inc. All rights reserved.
++ * Copyright (c) 2005-2018, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -51,7 +51,8 @@ typedef enum {
+ Bool SyncDriver_Init(void);
+ Bool SyncDriver_Freeze(const char *drives, Bool enableNullDriver,
+ SyncDriverHandle *handle,
+- const char *excludedFileSystems);
++ const char *excludedFileSystems,
++ Bool ignoreFrozenFS);
+ Bool SyncDriver_Thaw(const SyncDriverHandle handle);
+ SyncDriverStatus SyncDriver_QueryStatus(const SyncDriverHandle handle,
+ int32 timeout);
+diff --git a/open-vm-tools/lib/syncDriver/nullDriver.c b/open-vm-tools/lib/syncDriver/nullDriver.c
+index 5e19e208..be96222a 100644
+--- a/open-vm-tools/lib/syncDriver/nullDriver.c
++++ b/open-vm-tools/lib/syncDriver/nullDriver.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -54,8 +54,9 @@ NullDriverClose(SyncDriverHandle handle)
+ *
+ * Calls sync().
+ *
+- * @param[in] paths Unused.
+- * @param[out] handle Where to store the operation handle.
++ * @param[in] paths Unused.
++ * @param[out] handle Where to store the operation handle.
++ * @param[in] ignoreFrozenFS Unused.
+ *
+ * @return A SyncDriverErr.
+ *
+@@ -64,7 +65,8 @@ NullDriverClose(SyncDriverHandle handle)
+
+ SyncDriverErr
+ NullDriver_Freeze(const GSList *paths,
+- SyncDriverHandle *handle)
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFS)
+ {
+ /*
+ * This is more of a "let's at least do something" than something that
+diff --git a/open-vm-tools/lib/syncDriver/syncDriverInt.h b/open-vm-tools/lib/syncDriver/syncDriverInt.h
+index 04f37bf2..a5706298 100644
+--- a/open-vm-tools/lib/syncDriver/syncDriverInt.h
++++ b/open-vm-tools/lib/syncDriver/syncDriverInt.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2017, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -41,7 +41,8 @@ typedef enum {
+ } SyncDriverErr;
+
+ typedef SyncDriverErr (*SyncFreezeFn)(const GSList *paths,
+- SyncDriverHandle *handle);
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFs);
+
+ typedef struct SyncHandle {
+ SyncDriverErr (*thaw)(const SyncDriverHandle handle);
+@@ -55,15 +56,18 @@ typedef struct SyncHandle {
+ #if defined(__linux__)
+ SyncDriverErr
+ LinuxDriver_Freeze(const GSList *userPaths,
+- SyncDriverHandle *handle);
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFs);
+
+ SyncDriverErr
+ VmSync_Freeze(const GSList *userPaths,
+- SyncDriverHandle *handle);
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFs);
+
+ SyncDriverErr
+ NullDriver_Freeze(const GSList *userPaths,
+- SyncDriverHandle *handle);
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFs);
+ #endif
+
+ #endif
+diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+index 6d9a3568..4581098e 100644
+--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c
++++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
+@@ -199,8 +199,9 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored)
+ * slow when guest is performing significant IO. Therefore, caller should
+ * consider running this function in a separate thread.
+ *
+- * @param[in] paths List of paths to freeze.
+- * @param[out] handle Handle to use for thawing.
++ * @param[in] paths List of paths to freeze.
++ * @param[out] handle Handle to use for thawing.
++ * @param[in] ignoreFrozenFS Switch to allow EBUSY error.
+ *
+ * @return A SyncDriverErr.
+ *
+@@ -209,7 +210,8 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored)
+
+ SyncDriverErr
+ LinuxDriver_Freeze(const GSList *paths,
+- SyncDriverHandle *handle)
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFS)
+ {
+ ssize_t count = 0;
+ Bool first = TRUE;
+@@ -324,9 +326,12 @@ LinuxDriver_Freeze(const GSList *paths,
+ * Previously, an EBUSY error was ignored, assuming that we may try
+ * to freeze the same superblock more than once depending on the
+ * OS configuration (e.g., usage of bind mounts).
+- * Using the filesystem Id to check if this is a filesystem that we
+- * have seen previously and will ignore this FD only if that is
+- * the case. Log a warning otherwise since the quiesced snapshot
++ * Use the filesystem Id to check if this filesystem has been
++ * handled before and, if so, ignore it.
++ * Alternatively, allow (ignore) the EBUSY if the
++ * "ignoreFrozenFileSystems" switch inside "vmbackup" section of
++ * tools.conf file is TRUE.
++ * Otherwise, log a warning as the quiesced snapshot
+ * attempt will fail.
+ */
+ if (ioctlerr == EBUSY) {
+@@ -339,6 +344,14 @@ LinuxDriver_Freeze(const GSList *paths,
+ */
+ Debug(LGPFX "skipping path '%s' - previously frozen", path);
+ continue;
++ } else if (ignoreFrozenFS) {
++ /*
++ * Ignores the EBUSY error if the FS has been frozen by another
++ * process and the 'ignoreFrozenFileSystems' setting is
++ * turned on in tools.conf file.
++ */
++ Debug(LGPFX "Ignoring the frozen filesystem '%s'",path);
++ continue;
+ }
+ /*
+ * It appears that this FS has been locked or frozen by another
+diff --git a/open-vm-tools/lib/syncDriver/syncDriverPosix.c b/open-vm-tools/lib/syncDriver/syncDriverPosix.c
+index 7b6132ba..27369639 100644
+--- a/open-vm-tools/lib/syncDriver/syncDriverPosix.c
++++ b/open-vm-tools/lib/syncDriver/syncDriverPosix.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2005-2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2005-2019, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -456,7 +456,8 @@ Bool
+ SyncDriver_Freeze(const char *userPaths, // IN
+ Bool enableNullDriver, // IN
+ SyncDriverHandle *handle, // OUT
+- const char *excludedFileSystems) // IN
++ const char *excludedFileSystems, // IN
++ Bool ignoreFrozenFS) // IN
+ {
+ GSList *paths = NULL;
+ SyncDriverErr err = SD_UNAVAILABLE;
+@@ -517,7 +518,7 @@ SyncDriver_Freeze(const char *userPaths, // IN
+ continue;
+ }
+ #endif
+- err = freezeFn(paths, handle);
++ err = freezeFn(paths, handle, ignoreFrozenFS);
+ }
+
+ /*
+diff --git a/open-vm-tools/lib/syncDriver/vmSyncDriver.c b/open-vm-tools/lib/syncDriver/vmSyncDriver.c
+index 2bd0e886..a0d4a315 100644
+--- a/open-vm-tools/lib/syncDriver/vmSyncDriver.c
++++ b/open-vm-tools/lib/syncDriver/vmSyncDriver.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -91,8 +91,9 @@ VmSyncClose(SyncDriverHandle handle)
+ * Opens a description to the driver's proc node, and if successful, send an
+ * ioctl to freeze the requested filesystems.
+ *
+- * @param[in] paths List of paths to freeze.
+- * @param[out] handle Where to store the handle to use for thawing.
++ * @param[in] paths List of paths to freeze.
++ * @param[out] handle Where to store the handle to use for thawing.
++ * @param[in] ignoreFrozenFS Unused.
+ *
+ * @return A SyncDriverErr.
+ *
+@@ -101,7 +102,8 @@ VmSyncClose(SyncDriverHandle handle)
+
+ SyncDriverErr
+ VmSync_Freeze(const GSList *paths,
+- SyncDriverHandle *handle)
++ SyncDriverHandle *handle,
++ Bool ignoreFrozenFS)
+ {
+ int file;
+ Bool first = TRUE;
+diff --git a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
+index 99a40a8c..437c90fd 100644
+--- a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
++++ b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2003-2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2003-2021, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -544,6 +544,8 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data)
+ GKeyFile *confDictRef = ctx->config;
+ Bool enableNullDriver;
+ GSource *timer;
++ char *excludedFileSystems;
++ Bool ignoreFrozenFS;
+
+ /*
+ * Parse the arguments
+@@ -576,14 +578,22 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data)
+ goto abort;
+ }
+
+- enableNullDriver = VixTools_ConfigGetBoolean(confDictRef,
++ enableNullDriver = VMTools_ConfigGetBoolean(confDictRef,
+ "vmbackup",
+ "enableNullDriver",
+ FALSE);
++ excludedFileSystems = VMTools_ConfigGetString(confDictRef,
++ "vmbackup",
++ "excludedFileSystems",
++ NULL);
++ ignoreFrozenFS = VMTools_ConfigGetBoolean(confDictRef,
++ "vmbackup",
++ "ignoreFrozenFileSystems",
++ FALSE);
+
+ /* Perform the actual freeze. */
+ if (!SyncDriver_Freeze(driveList, enableNullDriver, &gSyncDriverHandle,
+- NULL) ||
++ excludedFileSystems, ignoreFrozenFS) ||
+ SyncDriver_QueryStatus(gSyncDriverHandle, INFINITE) != SYNCDRIVER_IDLE) {
+ g_warning("%s: Failed to Freeze drives '%s'\n",
+ __FUNCTION__, driveList);
+diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
+index 6b422869..9e6f0541 100644
+--- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c
++++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
+@@ -1024,9 +1024,13 @@ VmBackupStartCommon(RpcInData *data,
+ #if defined(__linux__)
+ gBackupState->excludedFileSystems =
+ VMBACKUP_CONFIG_GET_STR(ctx->config, "excludedFileSystems", NULL);
+- g_debug("Using excludedFileSystems = \"%s\"\n",
++ gBackupState->ignoreFrozenFS =
++ VMBACKUP_CONFIG_GET_BOOL(ctx->config, "ignoreFrozenFileSystems", FALSE);
++
++ g_debug("Using excludedFileSystems = \"%s\", ignoreFrozenFileSystems = %d\n",
+ (gBackupState->excludedFileSystems != NULL) ?
+- gBackupState->excludedFileSystems : "(null)");
++ gBackupState->excludedFileSystems : "(null)",
++ gBackupState->ignoreFrozenFS);
+ #endif
+ g_debug("Quiescing volumes: %s",
+ (gBackupState->volumes) ? gBackupState->volumes : "(null)");
+diff --git a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
+index 4245feba..d8b635f1 100644
+--- a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
++++ b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2007-2019 VMware, Inc. All rights reserved.
++ * Copyright (C) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -276,7 +276,8 @@ VmBackupNewDriverOp(VmBackupState *state, // IN
+ useNullDriverPrefs ?
+ state->enableNullDriver : FALSE,
+ op->syncHandle,
+- state->excludedFileSystems);
++ state->excludedFileSystems,
++ state->ignoreFrozenFS);
+ break;
+ case OP_THAW:
+ op->manifest = SyncNewManifest(state, *op->syncHandle);
+diff --git a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
+index 0c912174..65e2e552 100644
+--- a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
++++ b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved.
++ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -100,18 +100,22 @@ struct VmBackupSyncCompleter;
+ * Don't modify the fields directly - rather, use VmBackup_SetCurrentOp,
+ * which does most of the handling needed by users of the state machine.
+ *
+- * NOTE: The thread for freeze operation modifies currentOp in BackupState
+- * which is also accessed by the AsyncCallback driving the state
+- * machine (run by main thread). Also, gcc might generate two
+- * instructions for writing a 64-bit value. Therefore, protect the
+- * access to currentOp and related fields using opLock mutex.
++ * NOTE 1: The thread for freeze operation modifies currentOp in BackupState
++ * which is also accessed by the AsyncCallback driving the state
++ * machine (run by main thread). Also, gcc might generate two
++ * instructions for writing a 64-bit value. Therefore, protect the
++ * access to currentOp and related fields using opLock mutex.
++ *
++ * NOTE 2: Only used by Linux guests, ignored on Windows guests and is
++ * initialized to "false" when the VmBackupState is initialized
++ * at the start of a backup operation.
+ */
+
+ typedef struct VmBackupState {
+ ToolsAppCtx *ctx;
+ VmBackupOp *currentOp;
+ const char *currentOpName;
+- GMutex opLock; // See note above
++ GMutex opLock; // See note 1 above
+ char *volumes;
+ char *snapshots;
+ guint pollPeriod;
+@@ -127,6 +131,7 @@ typedef struct VmBackupState {
+ Bool allowHWProvider;
+ Bool execScripts;
+ Bool enableNullDriver;
++ Bool ignoreFrozenFS; // See note 2 above
+ Bool needsPriv;
+ gchar *scriptArg;
+ guint timeout;
+diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf
+index 7c99b4dc..57ad9271 100644
+--- a/open-vm-tools/tools.conf
++++ b/open-vm-tools/tools.conf
+@@ -270,11 +270,39 @@
+ # including '/'
+ #excludedFileSystems=
+
++
++# Linux:
++# It is possible that filesystems are being frozen in pre-freeze scripts
++# to control the order in which those specific filesystems are to be frozen.
++# The vmtoolsd process must be informed of all such filesystems with the help
++# of "excludedFileSystems" setting of tools.conf.
++#
++# A temporary workaround is available (starting from 12.3.0) for admins to allow
++# quiesceing operation to succeed until the "excludedFileSystems" list
++# is configured.
++#
++# If another process thaws the file system while a quiescing operation
++# operation is ongoing, the snapshot may be compromised. Once the
++# "excludedFileSystems" list is configured this setting MUST be unset (or set
++# to false).
++#
++# The value of ignoreFrozenFileSystems is a true or false; the default is
++# false.
++#
++# Set to true to ignore pre-frozen file systems during the quiescing operation.
++#
++# ignoreFrozenFileSystems is Linux only (Not supported on Windows).
++#ignoreFrozenFileSystems=false
++
+ # Whether to execute scripts on quiescing.
+ # Scripts are executed from /etc/vmware-tools/backupScripts.d on Linux and
+ # %installpath%\backupScripts.d on Windows, and the legacy scripts
+ # "c:\windows\pre-freeze-script.bat"
+ # "c:\windows\post-thaw-script.bat"
++# execScripts specifies whether to execute scripts as part of the quiescing
++# operation. Scripts are executed from the scripts directory along with the
++# legacy scripts.
++
+ #
+ # Linux:
+ # "/usr/sbin/pre-freeze-script"
+--
+2.41.0
+
diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec
index 0167e5a..8ade38f 100644
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@@ -28,7 +28,7 @@
Name: open-vm-tools
Version: %{toolsversion}
-Release: 3%{?dist}.7
+Release: 3%{?dist}.9
Summary: Open Virtual Machine Tools for virtual machines hosted on VMware
Group: Applications/System
License: GPLv2
@@ -40,7 +40,7 @@ Source3: run-vmblock\x2dfuse.mount
Source4: open-vm-tools.conf
Source5: vmtoolsd.pam
-ExclusiveArch: x86_64 %{ix86}
+ExclusiveArch: x86_64
Patch0002: 0002-Fix-RELRO-flag.patch
# For bz#1809753 - [ESXi][RHEL7.9]open-vm-tools add appinfo plugin patch
@@ -62,6 +62,12 @@ Patch9: ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch
Patch10: ovt-Remove-some-dead-code.patch
# For RHEL-2413 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-7.9.z]
Patch11: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
+# For bz#2226921 - [RHEL7.9][ESXi]Latest version of open-vm-tools breaks VM backups
+Patch12: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch
+# For RHEL-14642 - CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-7.9.z]
+Patch13: ovt-Don-t-accept-tokens-with-unrelated-certs.patch
+# For RHEL-14676 - CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-7.9.z]
+Patch14: ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -342,6 +348,19 @@ fi
%{_bindir}/vmware-vgauth-smoketest
%changelog
+* Thu Nov 02 2023 Miroslav Rezanina <mrezanin@redhat.com> - 11.0.5-3.el7_9.9
+- ovt-Don-t-accept-tokens-with-unrelated-certs.patch [RHEL-14642]
+- ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch [RHEL-14676]
+- Resolves: RHEL-14642
+ (CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-7.9.z])
+- Resolves: RHEL-14676
+ (CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-7.9.z])
+
+* Thu Sep 28 2023 Jon Maloy <jmaloy@redhat.com> - 11.0.5-3.el7_9.8
+- ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [bz#2226921]
+- Resolves: bz#2226921
+ ([RHEL7.9][ESXi]Latest version of open-vm-tools breaks VM backups)
+
* Thu Sep 07 2023 Miroslav Rezanina <mrezanin@redhat.com> - 11.0.5-3.el7_9.7
- ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch [RHEL-2413]
- Resolves: RHEL-2413