From: Oliver Kurth <okurth@vmware.com>
Date: Tue, 19 Feb 2019 20:51:29 +0000 (-0800)
Subject: Security issue with the intermediate staging directory used for DnD and CnP
X-Git-Tag: stable-11.0.0~243
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec4e32afe179db8cf514177b08d9ab69696a2450;p=thirdparty%2Fopen-vm-tools.git

Security issue with the intermediate staging directory used for DnD and CnP

Problem:
/tmp/VMwareDnD is a staging directory used for DnD and CnP.  It should be
a regular directory, but malicious code or user may create the /tmp/VMwareDnD
 as a symbolic link which points to the home directory of the current desktop
user before the staging directory is created.  Later when the desktop user
initiates a DnD or CnP operation, the permission of that user's home directory
will be changed allowing the malicious user full access to the desktop user's
home directory.

Solution:
Do not set the permission of the staging directory if that directory already
exists and has the wrong permission.  The permission of the directory will
be 1777 if it is created by VMTools.  If that is not the case, the directory
has been created or modified by malicious code or user; just cancel the host
to guest DnD or CnP operation.
---

diff --git a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
index 708f2a5dc..26e2a6adf 100644
--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+++ b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
@@ -379,12 +379,11 @@ DnDCreateRootStagingDirectory(void)
    }
 
    if (File_Exists(root)) {
-      if (!DnDRootDirUsable(root) &&
-          !DnDSetPermissionsOnRootDir(root)) {
+      if (!DnDRootDirUsable(root)) {
          /*
-          * The directory already exists and its permissions are wrong and
-          * cannot be set, so there's not much we can do.
+          * The directory already exists and its permissions are wrong.
           */
+         Log("%s: The root dir is not usable.\n", __FUNCTION__);
          return NULL;
       }
    } else {
diff --git a/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c b/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
index 4f52829e7..9a273d645 100644
--- a/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
+++ b/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
@@ -318,12 +318,11 @@ CreateApparentRootDirectory(void)
    }
 
    if (File_Exists(root)) {
-      if (   !DnDRootDirUsable(root)
-          && !DnDSetPermissionsOnRootDir(root)) {
+      if (!DnDRootDirUsable(root)) {
          /*
-          * The directory already exists and its permissions are wrong and
-          * cannot be set, so there's not much we can do.
+          * The directory already exists and its permissions are wrong.
           */
+         Log_Trivia("dnd: The root dir is not usable.\n");
          return NULL;
       }
    } else {