--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package open-vm-tools/2:10.3.10-1+deb10u2
- From: Bernd Zeimetz <bzed@debian.org>
- Date: Wed, 09 Oct 2019 15:59:30 +0200
- Message-id: <157062957058.29063.16525505080303651430.reportbug@think.wals.bzed.at>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release-team,
I'd like to update open-vm-tools with the next pointrelease as upstream
found some memory leaks which need to be fixed. This includes a very
minor security issue where root would have access to soon expiring saml
tokens - but root has access to them anyway (for example by running a
hacked version of open-vm-tools).
This is #941955
Upstream changes are here:
https://github.com/vmware/open-vm-tools/commits/stable-10.3.10-vix-memory-leaks
debdiff is attached to this mail.
Please let me know when I can upload the buster-pu.
Thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/changelog b/debian/changelog
index 316bfa27..8432b78a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+open-vm-tools (2:10.3.10-1+deb10u2) buster; urgency=medium
+
+ * [d512626] Fix memory leaks and error handling.
+ From the upstream stable-10.3.10-vix-memory-leaks branch:
+ commit 26b9edbeb79d1c67b9ae73a0c97c48999c1fb503
+ Fix leaks in ListAliases and ListMappedAliases
+ commit 7b874f37f970aab2adddb063a8363594f47abf70
+ End VGAuth impersonation in the case of error.
+ commit 015db4c06a8be65eb96cf62421e8b5366993452f
+ Fix memory leaks in 'vix' tools plugin.
+ Thanks to Oliver Kurth (Closes: #941955)
+
+ -- Bernd Zeimetz <bzed@debian.org> Wed, 09 Oct 2019 14:18:48 +0200
+
open-vm-tools (2:10.3.10-1+deb10u1) buster; urgency=medium
* [efb4df1] Fix guest OS reporting for Debian/Buster.
diff --git a/debian/patches/015db4c0_Fix-memory-leaks-in-vix-tools-plugin b/debian/patches/015db4c0_Fix-memory-leaks-in-vix-tools-plugin
new file mode 100644
index 00000000..e0d161c1
--- /dev/null
+++ b/debian/patches/015db4c0_Fix-memory-leaks-in-vix-tools-plugin
@@ -0,0 +1,80 @@
+From 015db4c06a8be65eb96cf62421e8b5366993452f Mon Sep 17 00:00:00 2001
+From: Oliver Kurth <okurth@vmware.com>
+Date: Wed, 29 Aug 2018 13:29:45 -0700
+Subject: [PATCH] Fix memory leaks in 'vix' tools plugin.
+
+* vix plugin retrieves the power script file paths from the
+config file but doesn't free them and this causes a memory leak.
+Fixed the code to free the filepaths.
+
+* In GuestAuthPasswordAuthenticateImpersonate function, the VGAuth
+handle is not freed when the impersonation fails. Fixed the
+code to call VGAuth_UserHandleFree in the error path.
+
+Note: I executed one guest operation with wrong credentials.
+Every failure leaks 75 bytes of memory. (in Centos 64-bit VM)
+
+* Fixed another minor issue in the code. At couple of places in
+the code, replaced 'err' with 'vgErr' for storing the return value
+of VGAuth_UserHandleAccessToken.
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 20 +++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -2522,10 +2522,10 @@ VixTools_GetToolsPropertiesImpl(GKeyFile
+ char *guestName;
+ int osFamily;
+ char *packageList = NULL;
+- const char *powerOffScript = NULL;
+- const char *powerOnScript = NULL;
+- const char *resumeScript = NULL;
+- const char *suspendScript = NULL;
++ char *powerOffScript = NULL;
++ char *powerOnScript = NULL;
++ char *resumeScript = NULL;
++ char *suspendScript = NULL;
+ char *osName = NULL;
+ char *osNameFull = NULL;
+ Bool foundHostName;
+@@ -2726,6 +2726,10 @@ abort:
+ free(tempDir);
+ free(osName);
+ free(osNameFull);
++ free(suspendScript);
++ free(resumeScript);
++ free(powerOnScript);
++ free(powerOffScript);
+ #else
+ /*
+ * FreeBSD. We do not require all the properties above.
+@@ -11583,7 +11587,7 @@ GuestAuthPasswordAuthenticateImpersonate
+
+ #ifdef _WIN32
+ // this is making a copy of the token, be sure to close it
+- err = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
++ vgErr = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
+ if (VGAUTH_FAILED(vgErr)) {
+ err = VixToolsTranslateVGAuthError(vgErr);
+ goto done;
+@@ -11599,6 +11603,10 @@ done:
+ free(username);
+ Util_ZeroFreeString(password);
+
++ if (VIX_OK != err) {
++ VGAuth_UserHandleFree(newHandle);
++ newHandle = NULL;
++ }
+ return err;
+ #else
+ return VIX_E_NOT_SUPPORTED;
+@@ -11729,7 +11737,7 @@ impersonate:
+
+ #ifdef _WIN32
+ // this is making a copy of the token, be sure to close it
+- err = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
++ vgErr = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
+ if (VGAUTH_FAILED(vgErr)) {
+ err = VixToolsTranslateVGAuthError(vgErr);
+ goto done;
diff --git a/debian/patches/26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel b/debian/patches/26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel
new file mode 100644
index 00000000..17d66c27
--- /dev/null
+++ b/debian/patches/26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel
@@ -0,0 +1,64 @@
+From 26b9edbeb79d1c67b9ae73a0c97c48999c1fb503 Mon Sep 17 00:00:00 2001
+From: Oliver Kurth <okurth@vmware.com>
+Date: Wed, 2 Oct 2019 17:48:35 -0700
+Subject: [PATCH] Fix leaks in ListAliases and ListMappedAliases
+ (9bc72f0b09702754b429115658a85223cb3058bd from devel)
+
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -9621,7 +9621,6 @@ VixToolsListAuthAliases(VixCommandReques
+ char *endDestPtr;
+ char *tmpBuf = NULL;
+ char *tmpBuf2 = NULL;
+- char *recordBuf;
+ size_t recordSize;
+ char *escapedStr = NULL;
+ char *escapedStr2 = NULL;
+@@ -9680,6 +9679,8 @@ VixToolsListAuthAliases(VixCommandReques
+ destPtr += Str_Sprintf(destPtr, endDestPtr - destPtr, "%s",
+ VIX_XML_ESCAPED_TAG);
+ for (i = 0; i < num; i++) {
++ char *recordBuf = NULL;
++
+ escapedStr = VixToolsEscapeXMLString(uaList[i].pemCert);
+ if (escapedStr == NULL) {
+ err = VIX_E_OUT_OF_MEMORY;
+@@ -9750,6 +9751,8 @@ VixToolsListAuthAliases(VixCommandReques
+ Log("%s: ListAuth list results too large, truncating", __FUNCTION__);
+ goto abort;
+ }
++ free(recordBuf);
++ recordBuf = NULL;
+ }
+
+ *result = resultBuffer;
+@@ -9817,7 +9820,6 @@ VixToolsListMappedAliases(VixCommandRequ
+ char *endDestPtr;
+ char *tmpBuf = NULL;
+ char *tmpBuf2 = NULL;
+- char *recordBuf;
+ char *escapedStr = NULL;
+ char *escapedStr2 = NULL;
+ size_t recordSize;
+@@ -9870,6 +9872,8 @@ VixToolsListMappedAliases(VixCommandRequ
+ destPtr += Str_Sprintf(destPtr, endDestPtr - destPtr, "%s",
+ VIX_XML_ESCAPED_TAG);
+ for (i = 0; i < num; i++) {
++ char *recordBuf = NULL;
++
+ escapedStr = VixToolsEscapeXMLString(maList[i].pemCert);
+ if (escapedStr == NULL) {
+ err = VIX_E_OUT_OF_MEMORY;
+@@ -9938,6 +9942,8 @@ VixToolsListMappedAliases(VixCommandRequ
+ Log("%s: ListMapped results too large, truncating", __FUNCTION__);
+ goto abort;
+ }
++ free(recordBuf);
++ recordBuf = NULL;
+ }
+
+ *result = resultBuffer;
diff --git a/debian/patches/7b874f37_End-VGAuth-impersonation-in-the-case-of-error b/debian/patches/7b874f37_End-VGAuth-impersonation-in-the-case-of-error
new file mode 100644
index 00000000..fe0b30de
--- /dev/null
+++ b/debian/patches/7b874f37_End-VGAuth-impersonation-in-the-case-of-error
@@ -0,0 +1,90 @@
+From 7b874f37f970aab2adddb063a8363594f47abf70 Mon Sep 17 00:00:00 2001
+From: Oliver Kurth <okurth@vmware.com>
+Date: Tue, 4 Sep 2018 15:40:58 -0700
+Subject: [PATCH] End VGAuth impersonation in the case of error.
+
+* In GuestAuthPasswordAuthenticateImpersonate():
+When VGAuth_UserHandleAccessToken fails, unimpersonation is not
+being done. This can cause issues. Fixed it.
+
+* In GuestAuthSAMLAuthenticateAndImpersonate(), fixed the following issues:
+The 'newHandle' is not being freed which causes a memory leak.
+When VGAuth_UserHandleAccessToken fails, unimpersonation is not
+being done.
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 25 +++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -11550,6 +11550,7 @@ GuestAuthPasswordAuthenticateImpersonate
+ VGAuthError vgErr;
+ VGAuthUserHandle *newHandle = NULL;
+ VGAuthExtraParams extraParams[1];
++ Bool impersonated = FALSE;
+
+ extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE;
+ extraParams[0].value = VGAUTH_PARAM_VALUE_TRUE;
+@@ -11585,6 +11586,8 @@ GuestAuthPasswordAuthenticateImpersonate
+ goto done;
+ }
+
++ impersonated = TRUE;
++
+ #ifdef _WIN32
+ // this is making a copy of the token, be sure to close it
+ vgErr = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
+@@ -11604,6 +11607,10 @@ done:
+ Util_ZeroFreeString(password);
+
+ if (VIX_OK != err) {
++ if (impersonated) {
++ vgErr = VGAuth_EndImpersonation(ctx);
++ ASSERT(vgErr == VGAUTH_E_OK);
++ }
+ VGAuth_UserHandleFree(newHandle);
+ newHandle = NULL;
+ }
+@@ -11638,12 +11645,13 @@ GuestAuthSAMLAuthenticateAndImpersonate(
+ {
+ #if SUPPORT_VGAUTH
+ VixError err;
+- char *token;
+- char *username;
++ char *token = NULL;
++ char *username = NULL;
+ VGAuthContext *ctx = NULL;
+ VGAuthError vgErr;
+ VGAuthUserHandle *newHandle = NULL;
+ VGAuthExtraParams extraParams[1];
++ Bool impersonated = FALSE;
+
+ extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE;
+ extraParams[0].value = VGAUTH_PARAM_VALUE_TRUE;
+@@ -11735,6 +11743,8 @@ impersonate:
+ goto done;
+ }
+
++ impersonated = TRUE;
++
+ #ifdef _WIN32
+ // this is making a copy of the token, be sure to close it
+ vgErr = VGAuth_UserHandleAccessToken(ctx, newHandle, userToken);
+@@ -11750,6 +11760,17 @@ impersonate:
+ err = VIX_OK;
+
+ done:
++ Util_ZeroFreeString(token);
++ Util_ZeroFreeString(username);
++
++ if (VIX_OK != err) {
++ if (impersonated) {
++ vgErr = VGAuth_EndImpersonation(ctx);
++ ASSERT(vgErr == VGAUTH_E_OK);
++ }
++ VGAuth_UserHandleFree(newHandle);
++ newHandle = NULL;
++ }
+
+ return err;
+ #else
diff --git a/debian/patches/series b/debian/patches/series
index 39debc1e..b4413b6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,6 @@ debian/pam-use-common-auth-account
debian/max_nic_count
debian/scsi-udev-rule
fix-buster-OS-reporting
+015db4c0_Fix-memory-leaks-in-vix-tools-plugin
+7b874f37_End-VGAuth-impersonation-in-the-case-of-error
+26b9edbe_Fix-leaks-in-ListAliases-and-ListMappedAliases-9bc72f0b09702754b429115658a85223cb3058bd-from-devel
--- End Message ---