Bug#1116946: Acknowledgement (bookworm-pu: package open-vm-tools/2:12.2.0-1+deb12u4)
hi,
here is the debdiff (from salsa CI, please ignore the salsa CI version
extras) - think I've forgotten to attach it.
Bernd
diff -Nru open-vm-tools-12.2.0/debian/.gitlab-ci.yml open-vm-tools-12.2.0/debian/.gitlab-ci.yml
--- open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2025-05-12 13:22:02.000000000 +0000
+++ open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2025-09-30 19:11:28.000000000 +0000
@@ -12,3 +12,50 @@
SALSA_CI_DISABLE_REPROTEST: 1
SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0
SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0
+ SALSA_CI_DISABLE_DEBDIFF: 0
+
+
+debdiff:
+ stage: test
+ image: $SALSA_CI_IMAGES_GENERIC_TESTS
+ rules:
+ - if: $SALSA_CI_ENABLE_DEBDIFF =~ /^(1|yes|true)$/
+ - if: $SALSA_CI_DISABLE_ALL_TESTS =~ /^(1|yes|true)$/
+ when: never
+ - if: $SALSA_CI_DISABLE_DEBDIFF !~ /^(1|yes|true)$/
+ script:
+ - "sed -i '/^Types:/s,:.*,: deb deb-src,' /etc/apt/sources.list.d/debian.sources"
+ # this is fugly, but the build container is totally not happy about apt
+ # downloading sources otherwise.
+ - echo 'APT::Sandbox::User "root";' | tee -a /etc/apt/apt.conf.d/10sandbox
+ - apt-get update && eatmydata apt-get install -y devscripts
+ - PKG_NAME=$(dpkg-parsechangelog -S Source)
+ - NEW_DSC=$(find ${WORKING_DIR} -maxdepth 1 -name "*.dsc" | head -n 1)
+ - |
+ if [ -z "${PKG_NAME}" ] || [ ! -f "${NEW_DSC}" ]; then
+ echo "Error: Could not determine package name or find .changes file."
+ exit 1
+ fi
+ - |
+ # Attempt to download the source package from the archive.
+ # If it fails, the package is likely new, and we create a note.
+ if apt-get -d source "${PKG_NAME}"; then
+ OLD_DSC=$(find . -maxdepth 1 -name "${PKG_NAME}_*.dsc" | head -n 1)
+ if [ -f "${OLD_DSC}" ]; then
+ debdiff "${OLD_DSC}" "${NEW_DSC}" > "${WORKING_DIR}/${PKG_NAME}.debdiff" || true
+ else
+ echo "Warning: apt-get source ran but no .dsc file was found." > "${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ else
+ echo "Package not found in archive; assuming it is new." > "${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ variables:
+ # We need the source checkout for dpkg-parsechangelog
+ GIT_STRATEGY: fetch
+ artifacts:
+ paths:
+ - ${WORKING_DIR}/*.debdiff
+ when: always
+ needs:
+ - job: build
+ artifacts: true
diff -Nru open-vm-tools-12.2.0/debian/changelog open-vm-tools-12.2.0/debian/changelog
--- open-vm-tools-12.2.0/debian/changelog 2025-05-12 13:22:02.000000000 +0000
+++ open-vm-tools-12.2.0/debian/changelog 2025-09-30 19:11:28.000000000 +0000
@@ -1,3 +1,12 @@
+open-vm-tools (2:12.2.0-1+deb12u4+salsaci+20250930+274) bookworm; urgency=high
+
+ * [e4ad4b0] Run debdiff in CI
+ * [039e4a0] Disable (default) the execution of the SDMP get-versions.sh script
+ (CVE-2025-41244)
+ Thanks to Salvatore Bonaccorso
+
+ -- Bernd Zeimetz <bzed@debian.org> Tue, 30 Sep 2025 21:11:28 +0200
+
open-vm-tools (2:12.2.0-1+deb12u3) bookworm-security; urgency=medium
* [df2a118] Fixing an insecure file handling vulnerability.
diff -Nru open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
--- open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 1970-01-01 00:00:00.000000000 +0000
+++ open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 2025-09-30 19:11:28.000000000 +0000
@@ -0,0 +1,119 @@
+From b2f1ac61f426ba9be93a3751ead222fc8512509c Mon Sep 17 00:00:00 2001
+From: John Wolfe <john.wolfe@broadcom.com>
+Date: Wed, 17 Sep 2025 22:18:49 -0700
+Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
+
+Address CVE-2025-41244
+ - Disable (default) the execution of the SDMP get-versions.sh script.
+
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria.
+
+All files being updated should be consider to have the copyright
+updated to:
+
+ * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+The 2025 Broadcom copyright information update is not part of this
+patch set to allow the patch to be easily applied to previous
+open-vm-tools source releases.
+---
+ .../serviceDiscovery/serviceDiscovery.c | 35 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -111,6 +111,12 @@ VM_EMBED_VERSION(VMTOOLSD_VERSION_STRING
+ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
+
+ /*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
++/*
+ * Defines the configuration to cache data in gdp plugin
+ */
+ #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
+@@ -1232,25 +1238,27 @@ ServiceDiscoveryServerShutdown(gpointer
+ *
+ * Construct final paths of the scripts that will be used for execution.
+ *
+- *****************************************************************************
++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
++ * entry; FALSE to skip it (derived from config).
++ * *****************************************************************************
+ */
+
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+ int i;
+ gchar *scriptInstallDir;
+ #if !defined(OPEN_VM_TOOLS)
+ gchar *toolsInstallDir;
+ #endif
++ int insertIndex = 0;
+
+ if (gFullPaths != NULL) {
+ return;
+ }
+
+ gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+- ARRAYSIZE(gKeyScripts));
+-
++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
+ #if defined(OPEN_VM_TOOLS)
+ scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+ #else
+@@ -1261,6 +1269,15 @@ ConstructScriptPaths(void)
+ #endif
+
+ for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++ /*
++ * Skip adding if:
++ * 1. Version check is disabled, AND
++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++ */
++ if (!versionCheckEnabled &&
++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
++ continue;
++ }
+ KeyNameValue tmp;
+ tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1270,7 +1287,8 @@ ConstructScriptPaths(void)
+ tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS,
+ gKeyScripts[i].val);
+ #endif
+- g_array_insert_val(gFullPaths, i, tmp);
++ g_array_insert_val(gFullPaths, insertIndex, tmp);
++ insertIndex++;
+ }
+
+ g_free(scriptInstallDir);
+@@ -1338,14 +1356,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+ }
+ };
+ gboolean disabled;
++ Bool versionCheckEnabled;
+
+ regData.regs = VMTools_WrapArray(regs,
+ sizeof *regs,
+ ARRAYSIZE(regs));
++ versionCheckEnabled = VMTools_ConfigGetBoolean(
++ ctx->config,
++ CONFGROUPNAME_SERVICEDISCOVERY,
++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+ /*
+ * Append scripts absolute paths based on installation dirs.
+ */
+- ConstructScriptPaths();
++ ConstructScriptPaths(versionCheckEnabled);
+
+ disabled =
+ VMTools_ConfigGetBoolean(ctx->config,
diff -Nru open-vm-tools-12.2.0/debian/patches/series open-vm-tools-12.2.0/debian/patches/series
--- open-vm-tools-12.2.0/debian/patches/series 2025-05-12 13:22:02.000000000 +0000
+++ open-vm-tools-12.2.0/debian/patches/series 2025-09-30 19:11:28.000000000 +0000
@@ -6,3 +6,4 @@
CVE-2023-34059.patch
CVE-2023-34058.patch
CVE-2025-22247-1100-1225-VGAuth-updates.patch
+CVE-2025-41244-1200-1225-SDMP.patch
Reply to: