Bug#1116938: trixie-pu: package open-vm-tools/2:12.5.0-2+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: open-vm-tools@packages.debian.org, team@security.debian.org
Control: affects -1 + src:open-vm-tools
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fixing CVE-2025-41244 using the patch provided by Broadcom/VMware via
point-release as discussed with the security team.
[ Impact ]
VMware Aria Operations and VMware Tools contain a local privilege escalation
vulnerability. A malicious local actor with non-administrative privileges
having access to a VM with VMware Tools installed and managed by Aria Operations
with SDMP enabled may exploit this vulnerability to escalate privileges to root
on the same VM.
[ Tests ]
None except for the salsa pipeline - Debian doesn't have ESX hosts for
automated tests.
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines/947476
[ Risks ]
low risk, the affected package has a very very low popcon compared to
open-vm-tools itself.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
- please do not ask me how exactly this fixes an issue or what the
issue exactly was to begin with, I assume that upstream does the
right thing there.
[X] attach debdiff against the package in (old)stable
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/jobs/8376516/artifacts/file/debian/output/open-vm-tools.debdiff
also attached.
[X] the issue is verified as fixed in unstable
supposed to be fixed in 13.0.5
[ Changes ]
new patch, directly from upstream.
( + some salsa CI / git-buildpackage related changes to run in trixie
instead of unstable)
thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff -Nru open-vm-tools-12.5.0/debian/.gitlab-ci.yml open-vm-tools-12.5.0/debian/.gitlab-ci.yml
--- open-vm-tools-12.5.0/debian/.gitlab-ci.yml 2025-05-12 13:17:50.000000000 +0000
+++ open-vm-tools-12.5.0/debian/.gitlab-ci.yml 2025-09-30 18:12:54.000000000 +0000
@@ -3,7 +3,7 @@
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'trixie'
SALSA_CI_DISABLE_APTLY: 0
SALSA_CI_DISABLE_AUTOPKGTEST: 0
SALSA_CI_DISABLE_BLHC: 0
@@ -15,3 +15,50 @@
SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
SALSA_CI_DISABLE_BUILD_PACKAGE_ARM64: 0
+ SALSA_CI_DISABLE_DEBDIFF: 0
+
+
+debdiff:
+ stage: test
+ image: $SALSA_CI_IMAGES_GENERIC_TESTS
+ rules:
+ - if: $SALSA_CI_ENABLE_DEBDIFF =~ /^(1|yes|true)$/
+ - if: $SALSA_CI_DISABLE_ALL_TESTS =~ /^(1|yes|true)$/
+ when: never
+ - if: $SALSA_CI_DISABLE_DEBDIFF !~ /^(1|yes|true)$/
+ script:
+ - "sed -i '/^Types:/s,:.*,: deb deb-src,' /etc/apt/sources.list.d/debian.sources"
+ # this is fugly, but the build container is totally not happy about apt
+ # downloading sources otherwise.
+ - echo 'APT::Sandbox::User "root";' | tee -a /etc/apt/apt.conf.d/10sandbox
+ - apt-get update && eatmydata apt-get install -y devscripts
+ - PKG_NAME=$(dpkg-parsechangelog -S Source)
+ - NEW_DSC=$(find ${WORKING_DIR} -maxdepth 1 -name "*.dsc" | head -n 1)
+ - |
+ if [ -z "${PKG_NAME}" ] || [ ! -f "${NEW_DSC}" ]; then
+ echo "Error: Could not determine package name or find .changes file."
+ exit 1
+ fi
+ - |
+ # Attempt to download the source package from the archive.
+ # If it fails, the package is likely new, and we create a note.
+ if apt-get -d source "${PKG_NAME}"; then
+ OLD_DSC=$(find . -maxdepth 1 -name "${PKG_NAME}_*.dsc" | head -n 1)
+ if [ -f "${OLD_DSC}" ]; then
+ debdiff "${OLD_DSC}" "${NEW_DSC}" > "${WORKING_DIR}/${PKG_NAME}.debdiff" || true
+ else
+ echo "Warning: apt-get source ran but no .dsc file was found." > "${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ else
+ echo "Package not found in archive; assuming it is new." > "${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ variables:
+ # We need the source checkout for dpkg-parsechangelog
+ GIT_STRATEGY: fetch
+ artifacts:
+ paths:
+ - ${WORKING_DIR}/*.debdiff
+ when: always
+ needs:
+ - job: build
+ artifacts: true
diff -Nru open-vm-tools-12.5.0/debian/changelog open-vm-tools-12.5.0/debian/changelog
--- open-vm-tools-12.5.0/debian/changelog 2025-05-12 13:17:50.000000000 +0000
+++ open-vm-tools-12.5.0/debian/changelog 2025-09-30 18:12:54.000000000 +0000
@@ -1,3 +1,13 @@
+open-vm-tools (2:12.5.0-2+deb13u1+salsaci+20250930+273) trixie; urgency=high
+
+ * [eb68735] Gitlab CI / GBP configs: use trixie
+ * [21e31a4] Disable (default) the execution of the SDMP get-versions.sh script
+ (CVE-2025-41244)
+ Thanks to Salvatore Bonaccorso
+ * [0e87684] Generate debdiffs in salsa CI automatically
+
+ -- Bernd Zeimetz <bzed@debian.org> Tue, 30 Sep 2025 20:12:54 +0200
+
open-vm-tools (2:12.5.0-2) unstable; urgency=high
* [910f279] Fixing an insecure file handling vulnerability.
diff -Nru open-vm-tools-12.5.0/debian/gbp.conf open-vm-tools-12.5.0/debian/gbp.conf
--- open-vm-tools-12.5.0/debian/gbp.conf 2025-05-12 13:17:50.000000000 +0000
+++ open-vm-tools-12.5.0/debian/gbp.conf 2025-09-30 18:12:54.000000000 +0000
@@ -1,3 +1,6 @@
+[DEFAULT]
+debian-branch = trixie
+
[buildpackage]
sign-tags = True
posttag = git push && git push --tags
diff -Nru open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
--- open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 1970-01-01 00:00:00.000000000 +0000
+++ open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 2025-09-30 18:12:54.000000000 +0000
@@ -0,0 +1,117 @@
+From b2f1ac61f426ba9be93a3751ead222fc8512509c Mon Sep 17 00:00:00 2001
+From: John Wolfe <john.wolfe@broadcom.com>
+Date: Wed, 17 Sep 2025 22:18:49 -0700
+Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
+
+Address CVE-2025-41244
+ - Disable (default) the execution of the SDMP get-versions.sh script.
+
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria.
+
+All files being updated should be consider to have the copyright
+updated to:
+
+ * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+The 2025 Broadcom copyright information update is not part of this
+patch set to allow the patch to be easily applied to previous
+open-vm-tools source releases.
+---
+ .../serviceDiscovery/serviceDiscovery.c | 35 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -116,6 +116,12 @@ static gchar* scriptInstallDir = NULL;
+ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
+
+ /*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
++/*
+ * Defines the configuration to cache data in gdp plugin
+ */
+ #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
+@@ -1260,23 +1266,26 @@ ServiceDiscoveryServerShutdown(gpointer
+ *
+ * Construct final paths of the scripts that will be used for execution.
+ *
+- *****************************************************************************
++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
++ * entry; FALSE to skip it (derived from config).
++ * *****************************************************************************
+ */
+
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+ int i;
+ #if !defined(OPEN_VM_TOOLS)
+ gchar *toolsInstallDir;
+ #endif
++ int insertIndex = 0;
+
+ if (gFullPaths != NULL) {
+ return;
+ }
+
+ gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+- ARRAYSIZE(gKeyScripts));
++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
+ if (scriptInstallDir == NULL) {
+ #if defined(OPEN_VM_TOOLS)
+ scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -1288,6 +1297,15 @@ ConstructScriptPaths(void)
+ #endif
+ }
+ for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++ /*
++ * Skip adding if:
++ * 1. Version check is disabled, AND
++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++ */
++ if (!versionCheckEnabled &&
++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
++ continue;
++ }
+ KeyNameValue tmp;
+ tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1295,7 +1313,8 @@ ConstructScriptPaths(void)
+ #else
+ tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
+ #endif
+- g_array_insert_val(gFullPaths, i, tmp);
++ g_array_insert_val(gFullPaths, insertIndex, tmp);
++ insertIndex++;
+ }
+ }
+
+@@ -1361,14 +1380,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+ }
+ };
+ gboolean disabled;
++ Bool versionCheckEnabled;
+
+ regData.regs = VMTools_WrapArray(regs,
+ sizeof *regs,
+ ARRAYSIZE(regs));
++ versionCheckEnabled = VMTools_ConfigGetBoolean(
++ ctx->config,
++ CONFGROUPNAME_SERVICEDISCOVERY,
++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+ /*
+ * Append scripts execution command line
+ */
+- ConstructScriptPaths();
++ ConstructScriptPaths(versionCheckEnabled);
+
+ disabled =
+ VMTools_ConfigGetBoolean(ctx->config,
diff -Nru open-vm-tools-12.5.0/debian/patches/series open-vm-tools-12.5.0/debian/patches/series
--- open-vm-tools-12.5.0/debian/patches/series 2025-05-12 13:17:50.000000000 +0000
+++ open-vm-tools-12.5.0/debian/patches/series 2025-09-30 18:12:54.000000000 +0000
@@ -1,3 +1,4 @@
use-debian-pam
debian/scsi-udev-rule
CVE-2025-22247-1230-1250-VGAuth-updates.patch
+CVE-2025-41244-1200-1225-SDMP.patch
Reply to: