Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2
From: Bernd Zeimetz <bzed@debian.org>
Date: Fri, 05 Apr 2019 23:15:24 +0200
Message-id: <[🔎] 155449892460.8552.8697936621482508725.reportbug@think.wals.bzed.at>
Reply-to: Bernd Zeimetz <bzed@debian.org>, 926481@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

as discuassed with the security team, I'd like to fix #925959
with the next stable pointrelease. The proposed debdiff is attached.


Please let me know if its okay to upload.

Thanks,

Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

diff --git a/debian/changelog b/debian/changelog
index 0be9f865..9b8f4cbb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+open-vm-tools (2:10.1.5-5055683-4+deb9u2) stable; urgency=medium
+
+  * [34db05f] /tmp/VMwareDnD permissions security fix.
+    Fix possible security issue with the permissions of the intermediate
+    staging directory and path
+    /tmp/VMwareDnD is a staging directory used for DnD and CnP.  It should be
+    a regular directory, but malicious code or user may create the /tmp/VMwareDnD
+    as a symbolic link which points elsewhere on the system.  This may provide
+    user access to user B's files.
+    Do not set the permission of the root directory if the root directory
+    already exists and has the wrong permission.  The permission of the directory
+    must be 1777 if it is created by the VMToolsi.  If not, then the directory
+    has been created or modified by malicious code or user, so just cancel the
+    host to guest DnD or CnP operation. (Closes: #925959)
+
+ -- Bernd Zeimetz <bzed@debian.org>  Fri, 05 Apr 2019 23:10:04 +0200
+
 open-vm-tools (2:10.1.5-5055683-4+deb9u1) stretch; urgency=medium
 
   * [dec8df6] Upstream fix for CVE-2015-5191 (Closes: #869633)
diff --git a/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
new file mode 100644
index 00000000..43daed8a
--- /dev/null
+++ b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
@@ -0,0 +1,54 @@
+commit e88f91b00a715b79255de6576506d80ecfdb064c
+Author: Oliver Kurth <okurth@vmware.com>
+Date:   Tue Jan 29 14:03:19 2019 -0800
+
+    Fix possible security issue with the permissions of the intermediate
+    staging directory and path
+    
+    /tmp/VMwareDnD is a staging directory used for DnD and CnP.  It should be
+    a regular directory, but malicious code or user may create the /tmp/VMwareDnD
+    as a symbolic link which points elsewhere on the system.  This may provide
+    user access to user B's files.
+    
+    Do not set the permission of the root directory if the root directory
+    already exists and has the wrong permission.  The permission of the directory
+    must be 1777 if it is created by the VMToolsi.  If not, then the directory
+    has been created or modified by malicious code or user, so just cancel the
+    host to guest DnD or CnP operation.
+
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
++++ b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+@@ -276,12 +276,11 @@ DnDCreateRootStagingDirectory(void)
+    }
+ 
+    if (File_Exists(root)) {
+-      if (!DnDRootDirUsable(root) &&
+-          !DnDSetPermissionsOnRootDir(root)) {
++      if (!DnDRootDirUsable(root)) {
+          /*
+-          * The directory already exists and its permissions are wrong and
+-          * cannot be set, so there's not much we can do.
++          * The directory already exists and its permissions are wrong.
+           */
++         Log("%s: The root dir is not usable.\n", __FUNCTION__);
+          return NULL;
+       }
+    } else {
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
++++ b/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
+@@ -318,12 +318,11 @@ CreateApparentRootDirectory(void)
+    }
+ 
+    if (File_Exists(root)) {
+-      if (   !DnDRootDirUsable(root)
+-          && !DnDSetPermissionsOnRootDir(root)) {
++      if (!DnDRootDirUsable(root)) {
+          /*
+-          * The directory already exists and its permissions are wrong and
+-          * cannot be set, so there's not much we can do.
++          * The directory already exists and its permissions are wrong.
+           */
++         Log_Trivia("dnd: The root dir is not usable.\n");
+          return NULL;
+       }
+    } else {
diff --git a/debian/patches/series b/debian/patches/series
index 2c8fbff7..58f5849b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ from_arch/0001-Fix-vmxnet-module-on-kernels-3.16.patch
 debian/enable_vmhgfs-fuse_by_default
 debian/vmxnet_fix_kernel_4.7.patch
 debian/cve-2015-5191.patch
+e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch

Reply to:

Follow-Ups:
- Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#926480: unblock: tvtime/1.0.11-4
Next by Date: Bug#926484: unblock: gpsd/3.17-6
Previous by thread: Bug#926480: marked as done (unblock: tvtime/1.0.11-4)
Next by thread: Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2
Index(es):
- Date
- Thread