open-vm-tools: CVE-2022-31676 local root privilege escalation in the …

…virtual machine Source: https://github.com/vmware/open-vm-tools/ MR: 125031 Type: Security Fix Disposition: Backport from vmware/open-vm-tools@70a7475 ChangeID: 05e850f379fc12a687b669afeae68f2a38f9425c Description: Properly check authorization on incoming guestOps requests. Signed-off-by: Vijay Anusuri <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
MontaVista-OpenSourceTechnology · Mar 4, 2023 · 301db79 · 301db79
1 parent 7d5ffc1
commit 301db79
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/CVE-2022-31676.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/CVE-2022-31676.patch
@@ -0,0 +1,33 @@
+From 86f97ab82b284abd89bdee40ad1255578d205877 Mon Sep 17 00:00:00 2001
+From: Vijay Anusuri <[email protected]>
+Date: Thu, 2 Mar 2023 05:57:43 +0000
+Subject: [PATCH] Properly check authorization on incoming guestOps requests.
+
+Fix public pipe request checks.  Only a SessionRequest type should
+be accepted on the public pipe.
+
+Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745]
+CVE: CVE-2022-31676
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ open-vm-tools/vgauth/serviceImpl/proto.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c
+index ab36dca4..b044eace 100644
+--- open-vm-tools/vgauth/serviceImpl/proto.c
++++ open-vm-tools/vgauth/serviceImpl/proto.c
+@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn,
+    VGAuthError err;
+    gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn);
+
++   if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) {
++      return VGAUTH_E_PERMISSION_DENIED;
++   }
++
+    switch (req->reqType) {
+       /*
+        * This comes over the public connection; alwsys let it through.
+-- 
+2.18.2
+
diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_10.1.5.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_10.1.5.bb
@@ -21,6 +21,7 @@ LICENSE_modules/freebsd/vmxnet = "GPL-2.0"
 LICENSE_modules/linux = "GPL-2.0"
 LICENSE_modules/solaris = "CDDL-1.0"
 
+PR .= "1"
 SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \
            file://tools.conf \
            file://vmtoolsd.service \
@@ -35,6 +36,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \
            file://0007-Use-configure-to-test-for-feature-instead-of-platfor.patch \
            file://0008-use-posix-strerror_r-unless-gnu.patch \
            file://0011-Use-configure-test-for-sys-stat.h-include.patch \
+           file://CVE-2022-31676.patch \
            "
 SRC_URI_append_libc-musl = "\
            file://0009-Add-support-for-building-with-system-libtirpc.patch \