Bug 2120976
Summary: | CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine [fedora-all] | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marian Rehak <mrehak> | ||||||
Component: | open-vm-tools | Assignee: | John Wolfe <jwolfe> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 36 | CC: | jwolfe, negativo17, ravindrakumar, rjones, villapla | ||||||
Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | open-vm-tools-12.0.5-3.fc36 open-vm-tools-12.1.0-1.fc37 open-vm-tools-12.1.0-1.fc35 | Doc Type: | No Doc Update | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2022-09-08 11:02:23 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 2118714, 2122424 | ||||||||
Attachments: |
|
Description
Marian Rehak
2022-08-24 08:31:45 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2118714,2120976 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new I have started the update for open-vm-tools for fc35, fc36, fc37 and fc38. I am getting build failures for fc37 and fc38 (rawhide) but they are unrelated to the security fix to the source code. I am also getting the same build failures with the current open-vm-tools 12.0.5-2 top-of-tree source. Investigating why the "mass" build for Fedora 37 succeeded and now it is failing. In the meantime I am attaching the following: 1205-Properly-check-authorization-on-incoming-guestOps-re.patch # fix for CVE-2022-31676 open-vm-tools.spec # partial change - contains Release bump to '3' - defines Patch1 fo the CVE patch being added. - missing ChangLog update Created attachment 1908324 [details] Fix for CVE-2022-31676 Created attachment 1908325 [details]
Preliminary revision to the open-vm-tools.spec file
Work in progress:
- Release # bumped to "3"
- Added Patch1 for the CVE fix
- missing the ChangeLog update associated with this revision in progress.
In the process of preparing the fix to open-vm-tools 12.0.5 for PR 120976 - CVE-2022-31676, and find that I cannot build the existing open-vm-tools 12.0.5-2 packages. fc35: open-vm-tools-12.0.5-2.fc35 - BUILDS fc36: open-vm-tools-12.0.5-2.fc36 - BUILDS fc37: open-vm-tools-12.0.5-2.fc37 - FAILS packaging. fc38: open-vm-tools-12.0.5-2.fc38 - FAILS packaging. That makes me wonder how the "mass" rebuild for Fedora 37 succeeded? The failure is related to the packaging of the ?????????????? For fc36 build: =========================== Build command: fedpkg --release f36 mockbuild --no-cleanup-after from results_open-vm-tools/12.0.5/2.fc36/build.log ---------------------------------------------------- > /usr/bin/install -p -d /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d > /usr/bin/install -p -m 644 ./99-vmware-scsi-udev.rules /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d > ^^^^ > ... > + chmod a-x /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc36.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules from /var/lib/mock/fedora-36-x86_64/root/builddir/build//BUILD/open-vm-tools-12.0.5-19716617/config.log ----------------------------------------------------------------------------- > UDEVRULESDIR='/usr/lib/udev/rules.d' For fc37 build: ======================== Build command: fedpkg --release f37 mockbuild --no-cleanup-after from results_open-vm-tools/12.0.5/2.fc37/build.log ---------------------------------------------------- > /usr/bin/install -p -d /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/lib/udev/rules.d > /usr/bin/install -p -m 644 ./99-vmware-scsi-udev.rules /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/lib/udev/rules.d > ^===== no /usr > ... > + chmod a-x /builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules > chmod: cannot access '/builddir/build/BUILDROOT/open-vm-tools-12.0.5-2.fc37.x86_64/usr/lib/udev/rules.d/99-vmware-scsi-udev.rules': No such file or directory from /var/lib/mock/fedora-37-x86_64/root/builddir/build//BUILD/open-vm-tools-12.0.5-19716617/config.log; --------------------------------------------------------------------------- > UDEVRULESDIR='/lib/udev/rules.d' # missing the "/usr" prefix ???? FEDORA-2022-20d374ce8f has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20d374ce8f FEDORA-2022-cd23eac6f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cd23eac6f4 FEDORA-2022-9a73b28b96 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9a73b28b96 FEDORA-2022-20d374ce8f has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-20d374ce8f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20d374ce8f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-cd23eac6f4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cd23eac6f4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cd23eac6f4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-9a73b28b96 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9a73b28b96` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9a73b28b96 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-cd23eac6f4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2022-1b8d3b2845 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1b8d3b2845` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b8d3b2845 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-1c9c0bacaf has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1c9c0bacaf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1c9c0bacaf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-1b8d3b2845 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2022-1c9c0bacaf has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. |