Bug 1122435 - Bundled /usr/bin/VGAuthService should link libxmlsec1 not libxml-security-c
Bundled /usr/bin/VGAuthService should link libxmlsec1 not libxml-security-c
Status: VERIFIED FIXED
Classification: SUSE Linux Enterprise Server
Product: Beta SUSE Linux Enterprise Server 15 SP1
Classification: SUSE Linux Enterprise Server
Component: Virtualization:Tools
Beta 1
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Kirk Allan
Antoine Ginies
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-18 03:28 UTC by vmware gos
Modified: 2019-07-19 22:40 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
kallan: needinfo? (vmware-gos-qa)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description vmware gos 2019-01-18 03:28:56 UTC
When compile open-vm-tools 10.3.0 and above version, configure script is default to enable xmlsec1.
  --enable-xmlsec1        build vgauth with xmlsec1 instead of xml-security-c
                          (on by default).
So, bundled OVT in SLES15SP1 or SLES12SP4 should also enable xmlsec1 by default.

I tested on SLE 15SP1, manually compile OVT 10.3.5 with default configure option(./configure) and it can build successfully, and vgauthd.service run well.

But bundled OVT, /usr/bin/VGAuthService link to libxml-security-c.

linux-sktp:~ # ldd /usr/bin/VGAuthService
        linux-vdso.so.1 (0x00007fff767b6000)
        libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007f170a625000)
        libxerces-c-3.1.so => /usr/lib64/libxerces-c-3.1.so (0x00007f170a089000)
        libxml-security-c.so.17 => /usr/lib64/libxml-security-c.so.17 (0x00007f1709d7b000)
...
linux-sktp:~ # vmware-toolbox-cmd -v
10.3.0.5330 (build-8931395)
linux-sktp:~ # cat /etc/os-release
NAME="SLED"
VERSION="15-SP1"
VERSION_ID="15.1"
PRETTY_NAME="SUSE Linux Enterprise Desktop 15 SP1"
ID="sled"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sled:15:sp1"


SLE 12SP4 also has same issue. 

So please use default configure option to compile OVT when delivering SLE OVT packages.

-VMWare GOS QA
Comment 1 Kirk Allan 2019-01-22 23:23:32 UTC
I see that from Bug 1101426 - xmlsec1-openssl missing on SLE15, libxmlsec1 and libxmlsec1-openssl1 are being provided via SLE WE (workstation extensions).

Building with the default --enable-xmlsec1 flag, libxmlsec1 and libxmlsec1-openssl1 are now required for vgauth.  Without SLE WE available, the update/install of open-vm-tools will fail the dependency check since it cannot find anything that provides these two libraries.

Is it ok to require SLE WE for sles 15 and sles 15 sp1 so that libxmlsec1 is available for vgauth?
Comment 2 vmware gos 2019-01-23 03:36:42 UTC
WE module is optional for customer, customer can make choice to install or not install WE module.

Runtime open-vm-tools, more precise, /usr/bin/VGAuthService, use link of libxmlsec1  and libxmlsec1-openssl1. 

If we put libxmlsec1 and libxmlsec1-openssl1 and libxmlsec1-openssl1-devel into WE module, and when customer doesn't install WE, open-vm-tools/VGAuthService will run improper due to missing .so library, which are not expected.

So we need to put those packages into basic module to ensure runtime open-vm-tools with xmlsec1 run well.

-VMWare GOS QA
Comment 4 Kirk Allan 2019-02-12 17:34:34 UTC
Changes to use libxmlsec1 have been submitted for SLES 12 SP4.  Waiting for acceptance.

Changes to use libxmlsec1 for SLES 15 SP1 are currently on hold.  The libraries are in the process of being moved from workstation extensions to desktop applications.  While better in desktop applications, it still would require users to have access to desktop applications.  See bug 1101426 for this discussion.

If having libxmlsec1 reside in desktop applications is acceptable, I can submit the change for SLES 15 SP1.
Comment 5 vmware gos 2019-02-13 06:20:16 UTC
For some server deploy, customer can choose not to install desktop applications.

If libxmlsec1 and its sub-packages are put into Desktop module, and if customer doesn't install Desktop module, VGauth will not work.
So we need to put libxmlsec1 and its sub-packages into BASE module.

-VMWare GOS QA
Comment 6 Kirk Allan 2019-02-13 14:52:03 UTC
(In reply to vmware-gos qa from comment #5)
> For some server deploy, customer can choose not to install desktop
> applications.
> 
> If libxmlsec1 and its sub-packages are put into Desktop module, and if
> customer doesn't install Desktop module, VGauth will not work.
> So we need to put libxmlsec1 and its sub-packages into BASE module.
> 
> -VMWare GOS QA

Added the above comment to Bug 1101426
Comment 7 vmware gos 2019-03-07 08:04:54 UTC
VMWARE PR:
https://bugzilla.eng.vmware.com/show_bug.cgi?id=2271820

-VMWare GOS QA
Comment 9 Swamp Workflow Management 2019-03-20 17:15:05 UTC
SUSE-RU-2019:0667-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1115118,1121964,1122435,1124397
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    open-vm-tools-10.3.5-4.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    open-vm-tools-10.3.5-4.3.1
Comment 10 Swamp Workflow Management 2019-03-21 23:21:15 UTC
SUSE-RU-2019:0696-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1115118,1121964,1122435,1124397
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    open-vm-tools-10.3.5-3.22.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    open-vm-tools-10.3.5-3.22.1
SUSE CaaS Platform ALL (src):    open-vm-tools-10.3.5-3.22.1
SUSE CaaS Platform 3.0 (src):    open-vm-tools-10.3.5-3.22.1
Comment 11 vmware gos 2019-03-22 02:42:33 UTC
SLE 15SP1 RC1 has declared that this bug is fixed in RC1 from changelog link https://www.suse.com/betaprogram/wp-content/uploads/2019/03/ChangeLog-SLE-15-Installer-RC1.txt

Snipped open-vm-tools changes here:
o Updated open-vm-tools (security/bugfix/feature)	[x86_64]
- Link VGAuthService to libxmlsec1 rather than libxml-security-c in SLE
  products where available. (bsc#1122435)

But I tested and found that this issue still occur in RC1.

pek2-gosv-16-dhcp150:/run/media/root/SLE-15-SP1-Packages-x86_64-Build # find . -name "*xmlsec*"
./Module-Desktop-Applications/x86_64/libxmlsec1-1-1.2.26-5.13.x86_64.rpm
./Module-Desktop-Applications/x86_64/libxmlsec1-openssl1-1.2.26-5.13.x86_64.rpm
./Product-WE/x86_64/libxmlsec1-nss1-1.2.26-5.13.x86_64.rpm
./Product-WE/x86_64/xmlsec1-devel-1.2.26-5.13.x86_64.rpm
./Product-WE/x86_64/xmlsec1-openssl-devel-1.2.26-5.13.x86_64.rpm
./Product-WE/x86_64/xmlsec1-nss-devel-1.2.26-5.13.x86_64.rpm
pek2-gosv-16-dhcp150:/run/media/root/SLE-15-SP1-Packages-x86_64-Build # cat /etc/issue

Welcome to SUSE Linux Enterprise Server 15 SP1 RC1 (x86_64) - Kernel \r (\l).

eth0: \4{eth0} \6{eth0}

pek2-gosv-16-dhcp150:/run/media/root/SLE-15-SP1-Packages-x86_64-Build # ldd /usr/bin/VGAuthService
        linux-vdso.so.1 (0x00007ffca0071000)
        libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007f26780be000)
        libxerces-c-3.1.so => /usr/lib64/libxerces-c-3.1.so (0x00007f2677b22000)
        libxml-security-c.so.17 => /usr/lib64/libxml-security-c.so.17 (0x00007f2677814000)

We expect this issue should be fixed in RC1.

-VMWare GOS QA
Comment 12 Swamp Workflow Management 2019-03-29 14:11:41 UTC
openSUSE-RU-2019:1078-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1115118,1121964,1122435,1124397
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    open-vm-tools-10.3.5-22.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-04-02 10:12:01 UTC
openSUSE-RU-2019:1102-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1115118,1121964,1122435,1124397,1126102
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    open-vm-tools-10.3.5-lp150.2.10.2, xmlsec1-1.2.26-lp150.7.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2019-04-03 05:20:24 UTC
i would say this is done.
Comment 16 John Savanyo 2019-04-04 23:30:23 UTC
Hi Kirk,

Can you confirm when it would OK for VMware to remove support for libxml-security-c?

From call this morning, my understanding is:
 SUSE has added mlsec1 to 15SP1RC2 and repos for 15 and 12SP4
 SUSE is still back porting new OVT releases to repos of all SLES releases that are still in general support.
 This includes 11SP4 and 12SP3, EOGS for these are 3/31/2019 and 06/2019(est).
 If VMware removes support for libxml-security-c, then back porting to SLE < 12SP4 will be problematic. 

So at what point will SUSE stop back porting new OVT release to SLE < 12SP4?
Comment 17 Kirk Allan 2019-04-09 19:16:11 UTC
(In reply to John Savanyo from comment #16)
> Hi Kirk,
> 
> Can you confirm when it would OK for VMware to remove support for
> libxml-security-c?
> 
> From call this morning, my understanding is:
>  SUSE has added mlsec1 to 15SP1RC2 and repos for 15 and 12SP4
>  SUSE is still back porting new OVT releases to repos of all SLES releases
> that are still in general support.
>  This includes 11SP4 and 12SP3, EOGS for these are 3/31/2019 and
> 06/2019(est).
>  If VMware removes support for libxml-security-c, then back porting to SLE <
> 12SP4 will be problematic. 
> 
> So at what point will SUSE stop back porting new OVT release to SLE < 12SP4?

Usually, once general support ends, we stop actively supplying new updates to that product.  If bugs are entered, we evaluate the feasibility of back porting.

Looking at sles 12 sp3, I see that libxmlsec1 is available with updates.  So the next time we submit for sles 12 sp3, we can switch to libxmlsec1.

For sles 11 sp4, we currently do not build with vgauth so this is probably not an issue.
Comment 18 Kirk Allan 2019-04-16 17:23:34 UTC
libxmlsec1 is now being used for vgauth in SLES 15 SP1 RC2.  Marking as fixed.
Comment 19 vmware gos 2019-04-19 05:52:16 UTC
In RC2, VGAuthService use libxmlsec1.so which is expected.

pek2-gosv-16-dhcp92:/mnt # ldd /usr/bin/VGAuthService
        linux-vdso.so.1 (0x00007ffc413fc000)
        libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007efd7949b000)
        libxmlsec1.so.1 => /usr/lib64/libxmlsec1.so.1 (0x00007efd7922f000)
        libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00007efd78ec7000)
        libssl.so.1.1 => /usr/lib64/libssl.so.1.1 (0x00007efd78c5b000)
        libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007efd787cd000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007efd785af000)
        libc.so.6 => /lib64/libc.so.6 (0x00007efd781f5000)
        libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007efd77f68000)
        libxslt.so.1 => /usr/lib64/libxslt.so.1 (0x00007efd77d28000)
        libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007efd77b1e000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007efd7791a000)
        libz.so.1 => /lib64/libz.so.1 (0x00007efd77703000)
        liblzma.so.5 => /usr/lib64/liblzma.so.5 (0x00007efd774c8000)
        libm.so.6 => /lib64/libm.so.6 (0x00007efd77190000)
        /lib64/ld-linux-x86-64.so.2 (0x00007efd799d1000)

And xmlsec1 packages are in Base install ISO, which is also expected.

k2-gosv-16-dhcp92:~ # mount /dev/sr0 /mnt
mount: /mnt: WARNING: device write-protected, mounted read-only.
pek2-gosv-16-dhcp92:~ # cd /mnt/
pek2-gosv-16-dhcp92:/mnt # find . -name "*xmlsec*"
./x86_64/libxmlsec1-openssl1-1.2.26-5.19.x86_64.rpm
./x86_64/libxmlsec1-1-1.2.26-5.19.x86_64.rpm
pek2-gosv-16-dhcp92:/mnt # ls
.treeinfo    CHECKSUMS.asc  ChangeLog  README       docu                              gpg-pubkey-50a3dd1c-50f35137.asc  noarch            x86_64
ARCHIVES.gz  COPYRIGHT      EFI        README.BETA  gpg-pubkey-307e3d54-5aaa90a5.asc  ls-lR.gz                          repodata
CHECKSUMS    COPYRIGHT.de   INDEX.gz   boot         gpg-pubkey-39db7c82-5847eb1f.asc  media.1                           suse_ptf_key.asc
pek2-gosv-16-dhcp92:/mnt # find . -name "*open-vm-tools*"
./x86_64/open-vm-tools-10.3.10-1.4.x86_64.rpm


Last, VGAuthService work well.
pek2-gosv-16-dhcp92:/mnt # systemctl status vgauthd.service
● vgauthd.service - open-vm-tools: vgauth service for virtual machines hosted on VMware
   Loaded: loaded (/usr/lib/systemd/system/vgauthd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-04-18 23:35:20 EDT; 2h 12min ago
     Docs: http://github.com/vmware/open-vm-tools
 Main PID: 857 (VGAuthService)
    Tasks: 1 (limit: 19660)
   CGroup: /system.slice/vgauthd.service
           └─857 /usr/bin/VGAuthService -s

Apr 18 23:35:20 linux-7ts0 systemd[1]: Started open-vm-tools: vgauth service for virtual machines hosted on VMware.
Apr 18 23:35:20 linux-7ts0 VGAuthService[857]: Pref_Init: Using '/etc/vmware-tools/vgauth.conf' as preferences filepath
Apr 18 23:35:20 linux-7ts0 VGAuthService[857]: Core dump limit set to -1
Apr 19 01:39:57 pek2-gosv-16-dhcp92 VGAuthService[857]: Alias added to Alias store owned by 'root' by user 'root'.


Query user map also succeed.
pek2-gosv-16-dhcp92:/mnt # /usr/bin/vmware-vgauth-cmd list
...
Username:root
        Subject: Administrator@vsphere.local

So regression PASS.

-VMWare GOS QA
Comment 20 vmware gos 2019-04-19 05:53:09 UTC
Mark as verified.
Comment 21 Swamp Workflow Management 2019-04-24 15:55:45 UTC
SUSE-RU-2019:1021-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1126102,1130898
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    open-vm-tools-10.3.10-4.6.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    open-vm-tools-10.3.10-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-04-25 13:09:32 UTC
SUSE-RU-2019:1032-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1126102,1130898
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    open-vm-tools-10.3.10-3.25.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    open-vm-tools-10.3.10-3.25.1
SUSE CaaS Platform ALL (src):    open-vm-tools-10.3.10-3.25.1
SUSE CaaS Platform 3.0 (src):    open-vm-tools-10.3.10-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2019-05-08 19:13:51 UTC
openSUSE-RU-2019:1348-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1126102,1130898
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    open-vm-tools-10.3.10-26.1
Comment 26 Swamp Workflow Management 2019-06-14 16:12:48 UTC
SUSE-RU-2019:1503-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    open-vm-tools-10.3.10-3.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    open-vm-tools-10.3.10-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2019-06-14 16:13:35 UTC
SUSE-RU-2019:1504-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    open-vm-tools-10.3.10-3.28.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    open-vm-tools-10.3.10-3.28.1
SUSE CaaS Platform ALL (src):    open-vm-tools-10.3.10-3.28.1
SUSE CaaS Platform 3.0 (src):    open-vm-tools-10.3.10-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2019-06-14 16:22:23 UTC
SUSE-RU-2019:1505-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    open-vm-tools-10.3.10-4.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    open-vm-tools-10.3.10-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2019-06-21 13:17:58 UTC
SUSE-RU-2019:1613-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    open-vm-tools-10.3.10-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    open-vm-tools-10.3.10-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2019-06-21 13:38:56 UTC
openSUSE-RU-2019:1591-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    open-vm-tools-10.3.10-30.1
Comment 31 Swamp Workflow Management 2019-06-24 13:28:36 UTC
openSUSE-RU-2019:1599-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    open-vm-tools-10.3.10-lp150.2.16.1
Comment 32 Swamp Workflow Management 2019-07-19 19:23:15 UTC
openSUSE-RU-2019:1728-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122435,1133623
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    open-vm-tools-10.3.10-lp151.2.3.1