new file mode 100644
@@ -0,0 +1,163 @@
+From 3028cdd4c0b2461b904cbe5a5868c8e591aa0941 Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Mon, 8 May 2023 19:04:57 -0700
+Subject: [PATCH] Remove some dead code.
+
+Address CVE-2023-20867.
+Remove some authentication types which were deprecated long
+ago and are no longer in use. These are dead code.
+
+CVE: CVE-2023-20867
+
+Upstream-Status: Backport
+[https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ open-vm-tools/services/plugins/vix/vixTools.c | 102 --------------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
+index 9f376a7..85c5ba7 100644
+--- a/open-vm-tools/services/plugins/vix/vixTools.c
++++ b/open-vm-tools/services/plugins/vix/vixTools.c
+@@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
+ #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication"
+ #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents"
+
+-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE
+-
+ /*
+ * The switch that controls all APIs
+ */
+@@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
+
+ void GuestAuthUnimpersonate();
+
+-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
+- const char *typeName);
+-
+ #if SUPPORT_VGAUTH
+
+ VGAuthError TheVGAuthContext(VGAuthContext **ctx);
+@@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN
+ userToken);
+ break;
+ }
+- case VIX_USER_CREDENTIAL_ROOT:
+- {
+- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
+- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
+- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
+- /*
+- * Don't accept hashed shared secret if disabled.
+- */
+- g_message("%s: Requested authentication type has been disabled.\n",
+- __FUNCTION__);
+- err = VIX_E_GUEST_AUTHTYPE_DISABLED;
+- goto done;
+- }
+- }
+- // fall through
+-
+- case VIX_USER_CREDENTIAL_CONSOLE_USER:
+- err = VixToolsImpersonateUserImplEx(NULL,
+- credentialType,
+- NULL,
+- loadUserProfile,
+- userToken);
+- break;
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD:
+ case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
+ case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
+@@ -8205,36 +8177,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN
+ }
+
+ /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- */
+- if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
+- && (thisProcessRunsAsRoot)) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
+- err = VIX_OK;
+- goto quit;
+- }
+-
+- /*
+- * If the VMX asks to be root, then we allow them.
+- * The VMX will make sure that only it will pass this value in,
+- * and only when the VM and host are configured to allow this.
+- *
+- * XXX This has been deprecated XXX
+- */
+- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
+- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
+- *userToken = PROCESS_CREATOR_USER_TOKEN;
+-
+- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
+- err = VIX_OK;
+- goto quit;
+- }
+-
+- /*
+ * If the VMX asks us to run commands in the context of the current
+ * user, make sure that the user who requested the command is the
+ * same as the current user.
+@@ -10917,50 +10859,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN
+ /*
+ *-----------------------------------------------------------------------------
+ *
+- * VixToolsCheckIfAuthenticationTypeEnabled --
+- *
+- * Checks to see if a given authentication type has been
+- * disabled via the tools configuration.
+- *
+- * Return value:
+- * TRUE if enabled, FALSE otherwise.
+- *
+- * Side effects:
+- * None
+- *
+- *-----------------------------------------------------------------------------
+- */
+-
+-static Bool
+-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN
+- const char *typeName) // IN
+-{
+- char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
+- gboolean disabled;
+-
+- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
+- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
+- typeName);
+-
+- ASSERT(confDictRef != NULL);
+-
+- /*
+- * XXX Skip doing the strcmp() to verify the auth type since we only
+- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
+- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
+- */
+- disabled = VMTools_ConfigGetBoolean(confDictRef,
+- VIX_TOOLS_CONFIG_API_GROUPNAME,
+- authnDisabledName,
+- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
+-
+- return !disabled;
+-}
+-
+-
+-/*
+- *-----------------------------------------------------------------------------
+- *
+ * VixTools_ProcessVixCommand --
+ *
+ *
+--
+2.6.2
+
@@ -43,6 +43,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=stabl
file://0012-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \
file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \
file://0001-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \
+ file://CVE-2023-20867.patch;patchdir=.. \
"
UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"
CVE-2023-20867: A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-20867 Patch from: https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../open-vm-tools/CVE-2023-20867.patch | 163 ++++++++++++++++++ .../open-vm-tools/open-vm-tools_12.1.5.bb | 1 + 2 files changed, 164 insertions(+) create mode 100644 meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2023-20867.patch