openvmtools: Update to version 12.5.0
Commit Message
- Update from version 12.0.5 to 12.5.0
- Update of rootfile not required
- Several CVE's in various updates between 12.0.5 and 12.5.0
- Changelog
12.5.0
The following github.com/vmware/open-vm-tools pull request has been addressed.
Revise settings for vmware-user.desktop
Pull request #668
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated functions
and build options based on OSS product version.
12.4.5
A number of issues flagged by Coverity and ShellCheck have been addressed.
The changes include code fixes and Coverity escapes for reported
false positives. See the details in the open-vm-tools ChangeLog
for specific fix or false positive escape.
Nested logging from RPCChannel error may hang the vmtoolsd process.
This issue has been fixed in this release.
vmtoolsd child processes invoke parent's atexit handler.**
Fixed in this release by terminating child processes with _exit().
Mutexes in lib/libvmtools/vmtoolsLog.c and glib could have been locked at
fork time. The vmtoolsLog.c Debug(), Warning() and Panic() functions
are not safe for child processes.
Fixed in this release by directing child processes' logging to
stdout.
Permission on the vmware-network.log file incorrectly defaults to (0644).
Fixed in this release. The correct default is set to (0600).
The NetworkManager calls in the Linux "network" script have been updated.
Defaults to using the "Sleep" method over the "Enabled" method
used to work around a bug in NetworkManager version 0.9.0.
Resolves:
Pull request #699
Issue #426
Unused header files have been dropped from the current open-vm-tools source.
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated
functions and build options based on OSS product version.
12.4.0
The following github.com/vmware/open-vm-tools pull request has been addressed
Power Ops: Attempt to execute file path only
Pull request #689
A number of issues flagged by Coverity have been addressed.
Add aliasing code to identify Miracle Linux by its former name of "asianux".
The Asianux Linux distribution rebranded itself as Miracle Linux.
Since vSphere infrastructure recognizes "asianux" but not
Miracle Linux, aliasing code was added to open-vm-tools to
continue to identify Miracle Linux systems as "asianux".
12.3.5
This release resolves CVE-2023-34058.
For more information on this vulnerability and its impact on
VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html.
open-vm-tools contains a SAML token signature bypass vulnerability.
VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of
7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor that has been granted Guest Operation Privileges
in a target virtual machine may be able to elevate their
privileges if that target virtual machine has been assigned a
more privileged Guest Alias.
Note: While the description and known attack vectors are very
similar to CVE-2023-20900, CVE-2023-34058 has a different root
cause that must be addressed.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34058.patch.
This release resolves CVE-2023-34059.
open-vm-tools contains a file descriptor hijack vulnerability in
the vmware-user-suid-wrapper. VMware has evaluated the
severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.4. -
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor with non-root privileges may be able to hijack
the /dev/uinput file descriptor allowing them to simulate user
inputs.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34059.patch.
The following github.com/vmware/open-vm-tools issue have been addressed
Better cooperation between deployPkg plugin and cloud-init concerning
location of 'disable_vmware_customization' flag.
Issue #310
12.3.0
This release resolves CVE-2023-20900.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
Linux quiesced snapshot: "SyncDriver: failed to freeze 'filesystem'"
The open-vm-tools 12.2.0 release had an update to the Linux quiesced
snapshot operation that would avoid starting a quiesced snapshot if a
filesystem had already been frozen by another process. See the
Resolved Issues section in the open-vm-tools 12.2.0 Release Notes.
That fix may have been backported into earlier versions of
open-vm-tools by Linux vendors.
It is possible that filesystems are being frozen in custom pre-freeze
scripts to control the order in which those specific filesystems are
to be frozen. The vmtoolsd process must be informed of all such
filesystems with the help of "excludedFileSystems" setting of
tools.conf.
[vmbackup]
excludedFileSystems=/opt/data,/opt/app/project-*,...
A temporary workaround is available (starting from open-vm-tools 12.3.0)
for system administrators to quickly allow a quiescing operation to
succeed until the "excludedFileSystems" list can be configured. Note,
if another process thaws the file system while a quiescing snapshot
operation is ongoing, the snapshot may be compromised. Once the
"excludedFileSystems" list is configured this setting MUST be unset
(or set to false).
[vmbackup]
ignoreFrozenFileSystems = true
This workaround is provided in the source file changes in
https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2
and at Linux vendors' discretion, may be backported to earlier versions
of open-vm-tools.
A number of Coverity reported issues have been addressed.
Component Manager / salt-minion: New InstallStatus "UNMANAGED".
Salt-minion added support for "ExternalInstall" (106) to indicate an
older version of salt-minion is installed on the vm and cannot be
managed by the svtminion.* scripts. The Component Manager will track
that as "UNMANAGED" and take no action.
The following pull requests and issues have been addressed
Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES
Issue #638
Pull request #639
Invalid argument with "\" in Linux username (Active Directory user)
Issue #641
Improve POSIX guest identification
Issue #647
Issue #648
Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib"
Issue #658
Fix build problems with grpc
Pull request #664
Issue #676
12.2.5
This release resolves CVE-2023-20867.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0013.html.
12.2.0
A number of Coverity reported issues have been addressed.
The vmtoolsd task is blocked in the uninterruptible state while doing a
quiesced snapshot.
As the ioctl FIFREEZE is done during a quiesced snapshot operation, an
EBUSY could be seen because of an attempt to freeze the same
superblock more than once depending on the OS configuration (e.g.
usage of bind mounts). An EBUSY could also mean another process has
locked or frozen that filesystem. That later could lead to the
vmtoolsd process being blocked and ultimately other processes on the
system could be blocked.
The Linux quiesced snapshot procedure has been updated that when an
EBUSY is received, the filesystem FSID is checked against the list of
filesystems that have already been quiesced. If not previously seen,
a warning that the filesystem is controlled by another process is
logged and the quiesced snapshot request will be rejected.
This fix to lib/syncDriver/syncDriverLinux.c is directly applicable to
previous releases of open-vm-tools and is available at:
https://github.com/vmware/open-vm-tools/commit/9d458c53a7a656d4d1ba3a28d090cce82ac4af0e
Updated the guestOps to handle some edge cases.
When File_GetSize() fails or returns a -1 indicating the user does not
have access permissions:
Skip the file in the output of the ListFiles() request.
Fail an InitiateFileTransferFromGuest operation.
The following pull requests and issues have been addressed.
Detect the proto files for the containerd grpc client in alternate locations.
Pull request #626
FreeBSD: Support newer releases and code clean-up for earlier versions.
Pull request #584
12.1.5
A number of Coverity reported issues have been addressed.
The deployPkg plugin may prematurely reboot the guest VM before cloud-init
has completed user data setup.
If both the Perl based Linux customization script and cloud-init
run when the guest VM boots, the deployPkg plugin may reboot
the guest before cloud-init has finished. The deployPkg plugin
has been updated to wait for a running cloud-init process to
finish before the guest VM reboot is initiated.
This issue is fixed in this release.
A SIGSEGV may be encountered when a non-quiesing snapshot times out.
This issue is fixed in this release.
Unwanted vmtoolsd service error message if not on a VMware hypervisor.
When open-vm-tools comes preinstalled in a base Linux release, the
vmtoolsd services are started automatically at system start
and desktop login. If running on physical hardware or in a
non-VMware hypervisor, the services will emit an error message
to the Systemd's logging service before stopping.
This issue is fixed in this release.
12.1.0
This release resolves CVE-2022-31676. For more information on this
vulnerability and its impact on VMware products, see
https://www.vmware.com/security/advisories/VMSA-2022-0024.html.
A patch for existing open-vm-tools releases is provided in the
CVE-2022-31676 README file.
A number of Coverity reported issues have been addressed.
[FTBFS] Fix the build of the ContainerInfo plugin for a 32-bit Linux release
Reported in open-vm-tools pull request #588, the fix did not make the
code freeze date for open-vm-tools 12.0.5.
This issue is fixed in this release.
Make HgfsConvertFromNtTimeNsec aware of 64-bit time_t on i386 (32-bit)
Reported in open-vm-tools pull request #387, this change incorporates
the support of 64 bit time epoch conversion from Windows NT time to
Unix Epoch time on i386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/openvmtools | 35 +++++++++++++++++------------------
1 file changed, 17 insertions(+), 18 deletions(-)
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -26,7 +26,7 @@ include Config
SUMMARY = Open Virtual Machine Tools
-VER = stable-12.0.5
+VER = stable-12.5.0
THISAPP = open-vm-tools-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -35,7 +35,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)/open-vm-tools
TARGET = $(DIR_INFO)/$(THISAPP)
SUP_ARCH = x86_64
PROG = openvmtools
-PAK_VER = 12
+PAK_VER = 13
DEPS =
@@ -51,7 +51,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 298a28bfdcb5791851392a0a8d1c301c528fa7f5eb239dfd9c5b6434c10ed90196fa1583d228ab0ef22e7b342cb9b1b65639b303b44b228ddca0d16bda54b437
+$(DL_FILE)_BLAKE2 = 3ad8b820d75fe82f0111a3042a5f26697c56a10b06c77abb55ce84ebd9c8c9867283a7682131633f67ea86a7a85f95f35b3eecc255a3b8de44ee0e242f4da44e
install : $(TARGET)
@@ -85,20 +85,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP) && ./configure \
- --prefix=/usr \
- --sysconfdir=/etc \
- --with-kernel-release=$(KVER)-ipfire \
- --without-ssl \
- --without-pam \
- --without-gtk2 \
- --without-gtkmm \
- --without-icu \
- --without-x \
- --with-linuxdir=/usr/src/linux \
- --without-kernel-modules \
- --disable-deploypkg \
- --without-xerces
-
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --with-kernel-release=$(KVER)-ipfire \
+ --without-ssl \
+ --without-pam \
+ --without-gtk2 \
+ --without-gtkmm \
+ --without-icu \
+ --without-x \
+ --with-linuxdir=/usr/src/linux \
+ --without-kernel-modules \
+ --disable-deploypkg \
+ --without-xerces
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install