Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package open-vm-tools for openSUSE:Factory checked in at 2023-09-01 14:19:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/open-vm-tools (Old) and /work/SRC/openSUSE:Factory/.open-vm-tools.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "open-vm-tools" Fri Sep 1 14:19:12 2023 rev:114 rq:1108318 version:12.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/open-vm-tools/open-vm-tools.changes 2023-06-30 19:58:31.557519891 +0200 +++ /work/SRC/openSUSE:Factory/.open-vm-tools.new.1766/open-vm-tools.changes 2023-09-01 14:19:30.184857832 +0200 @@ -1,0 +2,7 @@ +Mon Aug 28 15:10:27 UTC 2023 - Kirk Allan <kallan@suse.com> + +- Fix (bsc#1214566) - (CVE-2023-20900) - VUL-0: CVE-2023-20900: + open-vm-tools: SAML token signature bypass vulnerability + + Add patch: CVE-20230-20900.patch + +------------------------------------------------------------------- New: ---- CVE-20230-20900.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ open-vm-tools.spec ++++++ --- /var/tmp/diff_new_pack.II5sLc/_old 2023-09-01 14:19:32.164928502 +0200 +++ /var/tmp/diff_new_pack.II5sLc/_new 2023-09-01 14:19:32.172928788 +0200 @@ -156,6 +156,7 @@ Patch2: 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch Patch3: 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch Patch4: 2023-20867-Remove-some-dead-code.patch +Patch5: CVE-20230-20900.patch #SUSE specific patches Patch0: pam-vmtoolsd.patch @@ -261,6 +262,7 @@ %patch2 -p2 %patch3 -p2 %patch4 -p2 +%patch5 -p2 #SUSE specific patches %patch0 -p2 ++++++ CVE-20230-20900.patch ++++++ From eb4f36dfeb8b89443f7d5ade03316ba49a295eee Mon Sep 17 00:00:00 2001 From: John Wolfe <jwolfe@vmware.com> Date: Fri, 18 Aug 2023 11:23:53 -0700 Subject: [PATCH] Address CVE-2023-20900 VGAuth: Allow only X509 certs to verify the SAML token signature. --- open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c index f5541a9..0b2a945 100644 --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c @@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc, */ bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); if (bRet == FALSE) { - g_warning("failed to register ID\n"); + g_warning("Failed to register ID\n"); + goto done; + } + + /* Use only X509 certs to validate the signature */ + if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), + BAD_CAST xmlSecKeyDataX509Id) < 0) { + g_warning("Failed to limit allowed key data\n"); goto done; } -- 2.6.2