From: Oliver Kurth <okurth@vmware.com>
Date: Fri, 9 Nov 2018 21:22:24 +0000 (-0800)
Subject: Security concern: Certificates contain identifying information
X-Git-Tag: stable-11.0.0~314
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f76ab6ac8adc5b8c28aa0979006dda3119cc04ab;p=thirdparty%2Fopen-vm-tools.git

Security concern: Certificates contain identifying information

Do not log the contents of certificates which contain identifying
information such as e-mail addresses.
---

diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index 787a5faa8..9fa2aab29 100644
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -1128,7 +1128,19 @@ BuildCertChain(xmlNodePtr x509Node,
          g_warning("PEM cert: %s\n", pemCert);
          VMXLog_Log(VMXLOG_LEVEL_WARNING,
                     "%s: Failed to add cert to key manager\n", __FUNCTION__);
-         VMXLog_Log(VMXLOG_LEVEL_WARNING, "PEM cert: %s\n", pemCert);
+         /*
+          * XXX
+          *
+          * Certificates can have data (eg email addresses)
+          * we don't want to log those to the VMX due to privacy concerns.
+          * So let's not log to VMX at all until we have a reliable way to
+          * cleanse them -- assuming that doesn't make them worthless
+          * since the data won't match anything in the aliasStore
+          * or a SAML token.
+          */
+#if 0
+           VMXLog_Log(VMXLOG_LEVEL_WARNING, "PEM cert: %s\n", pemCert);
+#endif
          goto done;
       }