- Update from version 12.0.5 to 12.5.0 - Update of rootfile not required - Several CVE's in various updates between 12.0.5 and 12.5.0 - Changelog 12.5.0 The following github.com/vmware/open-vm-tools pull request has been addressed. Revise settings for vmware-user.desktop Pull request #668 Accomodate newer releases of libxml2 and xmlsec1. The configure.ac and VGAuth code updated to avoid deprecated functions and build options based on OSS product version. 12.4.5 A number of issues flagged by Coverity and ShellCheck have been addressed. The changes include code fixes and Coverity escapes for reported false positives. See the details in the open-vm-tools ChangeLog for specific fix or false positive escape. Nested logging from RPCChannel error may hang the vmtoolsd process. This issue has been fixed in this release. vmtoolsd child processes invoke parent's atexit handler.** Fixed in this release by terminating child processes with _exit(). Mutexes in lib/libvmtools/vmtoolsLog.c and glib could have been locked at fork time. The vmtoolsLog.c Debug(), Warning() and Panic() functions are not safe for child processes. Fixed in this release by directing child processes' logging to stdout. Permission on the vmware-network.log file incorrectly defaults to (0644). Fixed in this release. The correct default is set to (0600). The NetworkManager calls in the Linux "network" script have been updated. Defaults to using the "Sleep" method over the "Enabled" method used to work around a bug in NetworkManager version 0.9.0. Resolves: Pull request #699 Issue #426 Unused header files have been dropped from the current open-vm-tools source. Accomodate newer releases of libxml2 and xmlsec1. The configure.ac and VGAuth code updated to avoid deprecated functions and build options based on OSS product version. 12.4.0 The following github.com/vmware/open-vm-tools pull request has been addressed Power Ops: Attempt to execute file path only Pull request #689 A number of issues flagged by Coverity have been addressed. Add aliasing code to identify Miracle Linux by its former name of "asianux". The Asianux Linux distribution rebranded itself as Miracle Linux. Since vSphere infrastructure recognizes "asianux" but not Miracle Linux, aliasing code was added to open-vm-tools to continue to identify Miracle Linux systems as "asianux". 12.3.5 This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. open-vm-tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. Note: While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that must be addressed. A patch for earlier versions of open-vm-tools is available at CVE-2023-34058.patch. This release resolves CVE-2023-34059. open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. A patch for earlier versions of open-vm-tools is available at CVE-2023-34059.patch. The following github.com/vmware/open-vm-tools issue have been addressed Better cooperation between deployPkg plugin and cloud-init concerning location of 'disable_vmware_customization' flag. Issue #310 12.3.0 This release resolves CVE-2023-20900. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. Linux quiesced snapshot: "SyncDriver: failed to freeze 'filesystem'" The open-vm-tools 12.2.0 release had an update to the Linux quiesced snapshot operation that would avoid starting a quiesced snapshot if a filesystem had already been frozen by another process. See the Resolved Issues section in the open-vm-tools 12.2.0 Release Notes. That fix may have been backported into earlier versions of open-vm-tools by Linux vendors. It is possible that filesystems are being frozen in custom pre-freeze scripts to control the order in which those specific filesystems are to be frozen. The vmtoolsd process must be informed of all such filesystems with the help of "excludedFileSystems" setting of tools.conf. [vmbackup] excludedFileSystems=/opt/data,/opt/app/project-*,... A temporary workaround is available (starting from open-vm-tools 12.3.0) for system administrators to quickly allow a quiescing operation to succeed until the "excludedFileSystems" list can be configured. Note, if another process thaws the file system while a quiescing snapshot operation is ongoing, the snapshot may be compromised. Once the "excludedFileSystems" list is configured this setting MUST be unset (or set to false). [vmbackup] ignoreFrozenFileSystems = true This workaround is provided in the source file changes in https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a... and at Linux vendors' discretion, may be backported to earlier versions of open-vm-tools. A number of Coverity reported issues have been addressed. Component Manager / salt-minion: New InstallStatus "UNMANAGED". Salt-minion added support for "ExternalInstall" (106) to indicate an older version of salt-minion is installed on the vm and cannot be managed by the svtminion.* scripts. The Component Manager will track that as "UNMANAGED" and take no action. The following pull requests and issues have been addressed Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES Issue #638 Pull request #639 Invalid argument with "" in Linux username (Active Directory user) Issue #641 Improve POSIX guest identification Issue #647 Issue #648 Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib" Issue #658 Fix build problems with grpc Pull request #664 Issue #676 12.2.5 This release resolves CVE-2023-20867. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0013.html. 12.2.0 A number of Coverity reported issues have been addressed. The vmtoolsd task is blocked in the uninterruptible state while doing a quiesced snapshot. As the ioctl FIFREEZE is done during a quiesced snapshot operation, an EBUSY could be seen because of an attempt to freeze the same superblock more than once depending on the OS configuration (e.g. usage of bind mounts). An EBUSY could also mean another process has locked or frozen that filesystem. That later could lead to the vmtoolsd process being blocked and ultimately other processes on the system could be blocked. The Linux quiesced snapshot procedure has been updated that when an EBUSY is received, the filesystem FSID is checked against the list of filesystems that have already been quiesced. If not previously seen, a warning that the filesystem is controlled by another process is logged and the quiesced snapshot request will be rejected. This fix to lib/syncDriver/syncDriverLinux.c is directly applicable to previous releases of open-vm-tools and is available at: https://github.com/vmware/open-vm-tools/commit/9d458c53a7a656d4d1ba3a28d090c... Updated the guestOps to handle some edge cases. When File_GetSize() fails or returns a -1 indicating the user does not have access permissions: Skip the file in the output of the ListFiles() request. Fail an InitiateFileTransferFromGuest operation. The following pull requests and issues have been addressed. Detect the proto files for the containerd grpc client in alternate locations. Pull request #626 FreeBSD: Support newer releases and code clean-up for earlier versions. Pull request #584 12.1.5 A number of Coverity reported issues have been addressed. The deployPkg plugin may prematurely reboot the guest VM before cloud-init has completed user data setup. If both the Perl based Linux customization script and cloud-init run when the guest VM boots, the deployPkg plugin may reboot the guest before cloud-init has finished. The deployPkg plugin has been updated to wait for a running cloud-init process to finish before the guest VM reboot is initiated. This issue is fixed in this release. A SIGSEGV may be encountered when a non-quiesing snapshot times out. This issue is fixed in this release. Unwanted vmtoolsd service error message if not on a VMware hypervisor. When open-vm-tools comes preinstalled in a base Linux release, the vmtoolsd services are started automatically at system start and desktop login. If running on physical hardware or in a non-VMware hypervisor, the services will emit an error message to the Systemd's logging service before stopping. This issue is fixed in this release. 12.1.0 This release resolves CVE-2022-31676. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0024.html. A patch for existing open-vm-tools releases is provided in the CVE-2022-31676 README file. A number of Coverity reported issues have been addressed. [FTBFS] Fix the build of the ContainerInfo plugin for a 32-bit Linux release Reported in open-vm-tools pull request #588, the fix did not make the code freeze date for open-vm-tools 12.0.5. This issue is fixed in this release. Make HgfsConvertFromNtTimeNsec aware of 64-bit time_t on i386 (32-bit) Reported in open-vm-tools pull request #387, this change incorporates the support of 64 bit time epoch conversion from Windows NT time to Unix Epoch time on i386.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/openvmtools | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/lfs/openvmtools b/lfs/openvmtools index b91c89d26..6e277f080 100644 --- a/lfs/openvmtools +++ b/lfs/openvmtools @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2025 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config
SUMMARY = Open Virtual Machine Tools
-VER = stable-12.0.5 +VER = stable-12.5.0
THISAPP = open-vm-tools-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -35,7 +35,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)/open-vm-tools TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = x86_64 PROG = openvmtools -PAK_VER = 12 +PAK_VER = 13
DEPS =
@@ -51,7 +51,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 298a28bfdcb5791851392a0a8d1c301c528fa7f5eb239dfd9c5b6434c10ed90196fa1583d228ab0ef22e7b342cb9b1b65639b303b44b228ddca0d16bda54b437 +$(DL_FILE)_BLAKE2 = 3ad8b820d75fe82f0111a3042a5f26697c56a10b06c77abb55ce84ebd9c8c9867283a7682131633f67ea86a7a85f95f35b3eecc255a3b8de44ee0e242f4da44e
install : $(TARGET)
@@ -85,20 +85,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --sysconfdir=/etc \ - --with-kernel-release=$(KVER)-ipfire \ - --without-ssl \ - --without-pam \ - --without-gtk2 \ - --without-gtkmm \ - --without-icu \ - --without-x \ - --with-linuxdir=/usr/src/linux \ - --without-kernel-modules \ - --disable-deploypkg \ - --without-xerces - + --prefix=/usr \ + --sysconfdir=/etc \ + --with-kernel-release=$(KVER)-ipfire \ + --without-ssl \ + --without-pam \ + --without-gtk2 \ + --without-gtkmm \ + --without-icu \ + --without-x \ + --with-linuxdir=/usr/src/linux \ + --without-kernel-modules \ + --disable-deploypkg \ + --without-xerces cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install