Bug#1116946: bookworm-pu: package open-vm-tools/2:12.2.0-1+deb12u4
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: open-vm-tools@packages.debian.org, team@security.debian.org
Control: affects -1 + src:open-vm-tools
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fixing CVE-2025-41244 using the patch provided by Broadcom/VMware via
point-release as discussed with the security team.
[ Impact ]
VMware Aria Operations and VMware Tools contain a local privilege escalation
vulnerability. A malicious local actor with non-administrative privileges
having access to a VM with VMware Tools installed and managed by Aria Operations
with SDMP enabled may exploit this vulnerability to escalate privileges to root
on the same VM.
[ Tests ]
None except for the salsa pipeline - Debian doesn't have ESX hosts for
automated tests.
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines/947554
[ Risks ]
low risk, the affected package has a very very low popcon compared to
open-vm-tools itself.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
- please do not ask me how exactly this fixes an issue or what the
issue exactly was to begin with, I assume that upstream does the
right thing there.
[X] attach debdiff against the package in (old)stable
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/jobs/8377091/artifacts/file/debian/output/open-vm-tools.debdiff
(please ignore the +salsaci version stuff, the debdiff is from the
CI indeed)
also attached.
[X] the issue is verified as fixed in unstable
supposed to be fixed in 13.0.5
[ Changes ]
new patch, directly from upstream.
( + some salsa CI / git-buildpackage related changes to build in
bookworm instead of unstable)
thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply to: