Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:open-vm-tools User: [email protected] Usertags: pu
[ Reason ] Fixing CVE-2025-41244 using the patch provided by Broadcom/VMware via point-release as discussed with the security team. [ Impact ] VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. [ Tests ] None except for the salsa pipeline - Debian doesn't have ESX hosts for automated tests. https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines/947554 [ Risks ] low risk, the affected package has a very very low popcon compared to open-vm-tools itself. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them - please do not ask me how exactly this fixes an issue or what the issue exactly was to begin with, I assume that upstream does the right thing there. [X] attach debdiff against the package in (old)stable https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/jobs/8377091/artifacts/file/debian/output/open-vm-tools.debdiff (please ignore the +salsaci version stuff, the debdiff is from the CI indeed) also attached. [X] the issue is verified as fixed in unstable supposed to be fixed in 13.0.5 [ Changes ] new patch, directly from upstream. ( + some salsa CI / git-buildpackage related changes to build in bookworm instead of unstable) thanks, Bernd -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
