open-vm-tools 10.3.10 released

Thanks Oliver, this will be to be considered for 19.10 then

Reviewing the changelog after talking to Bernd (thanks) I realized that there are security critical issues in there.

There is a security fix in it "Among others Fix possible security issue with the permissions of the intermediate staging directory and path"
[1]

But there are some further really bad things fixed like:
5f3f6ccd Fix NULL pointer dereference and remove three lines of dead code.

Since we are in Freeze but for critical cases can still reconsider it I'd want to do the following:
1. subscribe the release team and ping them if this could be synced into Disco still
   Actually i'll trigger the sync right away so it shows up as -unapproved as well.
2. subscribe -security to evaluate the severity of the issue to decide if we can wait for
   older releases for the next regular backport (planned towards the end of 19.10) or if we
   need/want to immediately work on those
   - subscribe security team

[1]: https://github.com/vmware/open-vm-tools/commit/e88f91b00a715b79255de6576506d80ecfdb064c

Ok, I see it in [1] disco-unapproved - up to the release team now to let it in (or not).

[1]: https://launchpad.net/ubuntu/disco/+queue?queue_state=1

One request (not essential for now): In future, could you paste release notes into the bug so that I can see them without opening a link? :-)

One question (which I'd like to see on future requests please): I assume you've done testing, but could you state what you've done and that it worked OK please, for the record?

Hi,
I try to remember the release notes, but my feeling here was they are too long for a bug description.

For testing I have formerly only talked with the Debian maintainer and it seemed good.

But to be sure on buildability and no major issues I have built it in a PPA [1] and installed as well as slightly tested it (the services are happy, but I'm not a power user) on a vmware guest. For the use cases I had it was fine.

[1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1822204-open-vm-tools-10.3.10

I talked to the security Team (Marc), they said for the SRU our usual timing is enough as there is a another layer of protection against those kind of attacks. Therefore the bug will stay open for a while unless discussed otherwise.

un-assigning the security Team for now, and thanks for the guidance

open-vm-tools 11.0 will be too late this cycle (mid September), therefore in our "one MRE per cycle" approach to ensure the latest LTS stays up to match hypervisors we will backport 10.3.10 now.

Pushed to SRU team review - once in proposed I'll get into contact with VMWare to verify it on those releases as well (as usual).

Hello Oliver, or anyone else affected,

Accepted open-vm-tools into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/open-vm-tools/2:10.3.10-1~ubuntu0.18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Oliver, or anyone else affected,

Accepted open-vm-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/open-vm-tools/2:10.3.10-1~ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Thank you. I have notified our testing team to take care of this.

Thanks Oliver!
Waiting for their reply then ...

open-vm-tools 10.3.10 from -proposed works well in Ubuntu 18.04 Desktop and ubuntu 18.10 Server

1. Sanity Check from -proposed in Ubuntu 18.04 desktop:
  1) install/upgrade/uninstall open-vm-tools
  2) install /uninstall open-vm-tools-desktop
  3) check tools service and VGAuth service
  4) check tools service and VGAuth service after reboot VM
  5) check guestInfo with esxi command

2. Sanity Check from -proposed in In ubuntu 18.10 Sever

  1) install/upgrade/uninstall open-vm-tools
  2) check tools service and VGAuth service
  3) check tools service and VGAuth service after reboot VM
  4) check guestInfo with esxi command

Thanks Yuhua for pushing that through your tests.
Marking as verified

The verification of the Stable Release Update for open-vm-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package open-vm-tools - 2:10.3.10-1~ubuntu0.18.04.1

---------------
open-vm-tools (2:10.3.10-1~ubuntu0.18.04.1) bionic; urgency=medium

  * Backport recent open-vm-tools (LP: #1822204)

open-vm-tools (2:10.3.10-1) unstable; urgency=high

  * [122e511] Update upstream source from tag 'upstream/10.3.10'
    Update to upstream version '10.3.10'
    with Debian dir fb12c7cfc99a9497795475c29306e78d08cc3712
    - Closes: #925940
    - Bugfix release for the 10.3 series.
      - Correct and/or improve handling of certain quiesced
        snapshot failures (shipped as patch in 2:10.3.5-6).
      - Fix some bad derefs in primary NIC gather code
      - Fix possible security issue with the permissions of the
        intermediate staging directory and path.
        Closes: #925959
      - CONSTANT_EXPRESSION_RESULT in TimeUtil_StringToDate()
        Found by coverity.
      - Deploypkg log files of linux should not be world readable.
        They might contain sensitive data.
      - General code clean-up:
        - Treat local variables "len" consistently as "size_t"
          type in Posix_Getmntent_r()
        - Improve readability of error handling logic in
          ShrinkDoWipeAndShrink() and remove another line of dead code.
        - Setting "errno" to ENOENT when there is no passwd entry
          for the user.
      - Fix NULL pointer dereference and remove three lines of dead code.
    - Other changes/fixes, not related to Debian:
      - Update copyright years
      - Fix CentOS 7.6 detection
      - Include vmware/tools/log.h to define g_info (fix for SLES)
      - Special-case profile loading for StartProgram
        (Win32 only)
      - Changes to common source files not applicable to
        open-vm-tools. (Code used by other vmware tools, unrelated
        to open-vm-tools).
      - Bump up the SYSIMAGE_VERSION for VMware tools 10.3.10

  * [18de70f] Removing backported patches, shipped in 10.3.10.

open-vm-tools (2:10.3.5-8) unstable; urgency=medium

  [ Jean-Baptiste Lallement ]
  * [0f35aee] Add modaliases to open-vm-tools-desktop.
    Added Modaliases to open-vm-tools-desktop to auto-discover and
    auto-install the driver on Ubuntu via ubuntu-drivers. The driver is then
    installed at installation time and available on first boot for an
    improved user experience (LP: #1819207)

  [ Bernd Zeimetz ]
  * [dc4e1ce] Load vmwgfx module before vmtoolsd starts.
    As discussed on github in vmware/open-vm-tools#214
    we need to load the vmwgfx module before starting vmtoolsd
    for desktop users. Otherwise it is not able to retrieve the KMS
    resolutions and resizing the VM desktop fails.
    Thanks to @thomashvmw @rhertzog (Closes: #924518)

 -- Christian Ehrhardt <email address hidden> Tue, 14 May 2019 09:07:32 +0200

This bug was fixed in the package open-vm-tools - 2:10.3.10-1~ubuntu0.18.10.1

---------------
open-vm-tools (2:10.3.10-1~ubuntu0.18.10.1) cosmic; urgency=medium

  * Backport recent open-vm-tools (LP: #1822204)

open-vm-tools (2:10.3.10-1) unstable; urgency=high

  * [122e511] Update upstream source from tag 'upstream/10.3.10'
    Update to upstream version '10.3.10'
    with Debian dir fb12c7cfc99a9497795475c29306e78d08cc3712
    - Closes: #925940
    - Bugfix release for the 10.3 series.
      - Correct and/or improve handling of certain quiesced
        snapshot failures (shipped as patch in 2:10.3.5-6).
      - Fix some bad derefs in primary NIC gather code
      - Fix possible security issue with the permissions of the
        intermediate staging directory and path.
        Closes: #925959
      - CONSTANT_EXPRESSION_RESULT in TimeUtil_StringToDate()
        Found by coverity.
      - Deploypkg log files of linux should not be world readable.
        They might contain sensitive data.
      - General code clean-up:
        - Treat local variables "len" consistently as "size_t"
          type in Posix_Getmntent_r()
        - Improve readability of error handling logic in
          ShrinkDoWipeAndShrink() and remove another line of dead code.
        - Setting "errno" to ENOENT when there is no passwd entry
          for the user.
      - Fix NULL pointer dereference and remove three lines of dead code.
    - Other changes/fixes, not related to Debian:
      - Update copyright years
      - Fix CentOS 7.6 detection
      - Include vmware/tools/log.h to define g_info (fix for SLES)
      - Special-case profile loading for StartProgram
        (Win32 only)
      - Changes to common source files not applicable to
        open-vm-tools. (Code used by other vmware tools, unrelated
        to open-vm-tools).
      - Bump up the SYSIMAGE_VERSION for VMware tools 10.3.10

  * [18de70f] Removing backported patches, shipped in 10.3.10.

open-vm-tools (2:10.3.5-8) unstable; urgency=medium

  [ Jean-Baptiste Lallement ]
  * [0f35aee] Add modaliases to open-vm-tools-desktop.
    Added Modaliases to open-vm-tools-desktop to auto-discover and
    auto-install the driver on Ubuntu via ubuntu-drivers. The driver is then
    installed at installation time and available on first boot for an
    improved user experience (LP: #1819207)

  [ Bernd Zeimetz ]
  * [dc4e1ce] Load vmwgfx module before vmtoolsd starts.
    As discussed on github in vmware/open-vm-tools#214
    we need to load the vmwgfx module before starting vmtoolsd
    for desktop users. Otherwise it is not able to retrieve the KMS
    resolutions and resizing the VM desktop fails.
    Thanks to @thomashvmw @rhertzog (Closes: #924518)

 -- Christian Ehrhardt <email address hidden> Tue, 14 May 2019 09:05:46 +0200

folks how can i update to open-vm-tools 10.3.10 ... when installing Ubuntu i only get version 10.2.0 and there is no online updates

thanks

Hi Maher, in general all those questions/reports would be new bugs as it is not reopening or advancing this old bug. Giving you an answer now, but for the future it would be great if you could open new bugs for those.

It depends on the Ubuntu version you are at.
SRU [1] releases are always a tradeoff between the improved features/security vs the potential regressions - especially if we are not talking abotu single bug fixes but full version upgrades. Due to that together with VMWare we decided a while ago to backport the most recent open-vm-tools back to the latest LTS but then keep them frozen except for individual bugfixes.

Due to that you have:
>=Bionic (latest LTS) all on 10.3.10
Xenial: frozen at 10.2

If you really need a version >10.2 you should upgrade your system to Ubuntu 18.04 or later.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates