Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1116938,
regarding trixie-pu: package open-vm-tools/2:12.5.0-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116938
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:open-vm-tools
User: [email protected]
Usertags: pu
[ Reason ]
Fixing CVE-2025-41244 using the patch provided by Broadcom/VMware via
point-release as discussed with the security team.
[ Impact ]
VMware Aria Operations and VMware Tools contain a local privilege escalation
vulnerability. A malicious local actor with non-administrative privileges
having access to a VM with VMware Tools installed and managed by Aria Operations
with SDMP enabled may exploit this vulnerability to escalate privileges to root
on the same VM.
[ Tests ]
None except for the salsa pipeline - Debian doesn't have ESX hosts for
automated tests.
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines/947476
[ Risks ]
low risk, the affected package has a very very low popcon compared to
open-vm-tools itself.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
- please do not ask me how exactly this fixes an issue or what the
issue exactly was to begin with, I assume that upstream does the
right thing there.
[X] attach debdiff against the package in (old)stable
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/jobs/8376516/artifacts/file/debian/output/open-vm-tools.debdiff
also attached.
[X] the issue is verified as fixed in unstable
supposed to be fixed in 13.0.5
[ Changes ]
new patch, directly from upstream.
( + some salsa CI / git-buildpackage related changes to run in trixie
instead of unstable)
thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff -Nru open-vm-tools-12.5.0/debian/.gitlab-ci.yml
open-vm-tools-12.5.0/debian/.gitlab-ci.yml
--- open-vm-tools-12.5.0/debian/.gitlab-ci.yml 2025-05-12 13:17:50.000000000
+0000
+++ open-vm-tools-12.5.0/debian/.gitlab-ci.yml 2025-09-30 18:12:54.000000000
+0000
@@ -3,7 +3,7 @@
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'trixie'
SALSA_CI_DISABLE_APTLY: 0
SALSA_CI_DISABLE_AUTOPKGTEST: 0
SALSA_CI_DISABLE_BLHC: 0
@@ -15,3 +15,50 @@
SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
SALSA_CI_DISABLE_BUILD_PACKAGE_ARM64: 0
+ SALSA_CI_DISABLE_DEBDIFF: 0
+
+
+debdiff:
+ stage: test
+ image: $SALSA_CI_IMAGES_GENERIC_TESTS
+ rules:
+ - if: $SALSA_CI_ENABLE_DEBDIFF =~ /^(1|yes|true)$/
+ - if: $SALSA_CI_DISABLE_ALL_TESTS =~ /^(1|yes|true)$/
+ when: never
+ - if: $SALSA_CI_DISABLE_DEBDIFF !~ /^(1|yes|true)$/
+ script:
+ - "sed -i '/^Types:/s,:.*,: deb deb-src,'
/etc/apt/sources.list.d/debian.sources"
+ # this is fugly, but the build container is totally not happy about apt
+ # downloading sources otherwise.
+ - echo 'APT::Sandbox::User "root";' | tee -a /etc/apt/apt.conf.d/10sandbox
+ - apt-get update && eatmydata apt-get install -y devscripts
+ - PKG_NAME=$(dpkg-parsechangelog -S Source)
+ - NEW_DSC=$(find ${WORKING_DIR} -maxdepth 1 -name "*.dsc" | head -n 1)
+ - |
+ if [ -z "${PKG_NAME}" ] || [ ! -f "${NEW_DSC}" ]; then
+ echo "Error: Could not determine package name or find .changes file."
+ exit 1
+ fi
+ - |
+ # Attempt to download the source package from the archive.
+ # If it fails, the package is likely new, and we create a note.
+ if apt-get -d source "${PKG_NAME}"; then
+ OLD_DSC=$(find . -maxdepth 1 -name "${PKG_NAME}_*.dsc" | head -n 1)
+ if [ -f "${OLD_DSC}" ]; then
+ debdiff "${OLD_DSC}" "${NEW_DSC}" >
"${WORKING_DIR}/${PKG_NAME}.debdiff" || true
+ else
+ echo "Warning: apt-get source ran but no .dsc file was found." >
"${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ else
+ echo "Package not found in archive; assuming it is new." >
"${WORKING_DIR}/${PKG_NAME}.debdiff"
+ fi
+ variables:
+ # We need the source checkout for dpkg-parsechangelog
+ GIT_STRATEGY: fetch
+ artifacts:
+ paths:
+ - ${WORKING_DIR}/*.debdiff
+ when: always
+ needs:
+ - job: build
+ artifacts: true
diff -Nru open-vm-tools-12.5.0/debian/changelog
open-vm-tools-12.5.0/debian/changelog
--- open-vm-tools-12.5.0/debian/changelog 2025-05-12 13:17:50.000000000
+0000
+++ open-vm-tools-12.5.0/debian/changelog 2025-09-30 18:12:54.000000000
+0000
@@ -1,3 +1,13 @@
+open-vm-tools (2:12.5.0-2+deb13u1+salsaci+20250930+273) trixie; urgency=high
+
+ * [eb68735] Gitlab CI / GBP configs: use trixie
+ * [21e31a4] Disable (default) the execution of the SDMP get-versions.sh
script
+ (CVE-2025-41244)
+ Thanks to Salvatore Bonaccorso
+ * [0e87684] Generate debdiffs in salsa CI automatically
+
+ -- Bernd Zeimetz <[email protected]> Tue, 30 Sep 2025 20:12:54 +0200
+
open-vm-tools (2:12.5.0-2) unstable; urgency=high
* [910f279] Fixing an insecure file handling vulnerability.
diff -Nru open-vm-tools-12.5.0/debian/gbp.conf
open-vm-tools-12.5.0/debian/gbp.conf
--- open-vm-tools-12.5.0/debian/gbp.conf 2025-05-12 13:17:50.000000000
+0000
+++ open-vm-tools-12.5.0/debian/gbp.conf 2025-09-30 18:12:54.000000000
+0000
@@ -1,3 +1,6 @@
+[DEFAULT]
+debian-branch = trixie
+
[buildpackage]
sign-tags = True
posttag = git push && git push --tags
diff -Nru
open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
--- open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
1970-01-01 00:00:00.000000000 +0000
+++ open-vm-tools-12.5.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch
2025-09-30 18:12:54.000000000 +0000
@@ -0,0 +1,117 @@
+From b2f1ac61f426ba9be93a3751ead222fc8512509c Mon Sep 17 00:00:00 2001
+From: John Wolfe <[email protected]>
+Date: Wed, 17 Sep 2025 22:18:49 -0700
+Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
+
+Address CVE-2025-41244
+ - Disable (default) the execution of the SDMP get-versions.sh script.
+
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria.
+
+All files being updated should be consider to have the copyright
+updated to:
+
+ * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+The 2025 Broadcom copyright information update is not part of this
+patch set to allow the patch to be easily applied to previous
+open-vm-tools source releases.
+---
+ .../serviceDiscovery/serviceDiscovery.c | 35 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -116,6 +116,12 @@ static gchar* scriptInstallDir = NULL;
+ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
+
+ /*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
++/*
+ * Defines the configuration to cache data in gdp plugin
+ */
+ #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
+@@ -1260,23 +1266,26 @@ ServiceDiscoveryServerShutdown(gpointer
+ *
+ * Construct final paths of the scripts that will be used for execution.
+ *
+- *****************************************************************************
++ * @param[in] versionCheckEnabled TRUE to include the
SERVICE_DISCOVERY_KEY_VERSIONS
++ * entry; FALSE to skip it (derived from
config).
++ *
*****************************************************************************
+ */
+
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+ int i;
+ #if !defined(OPEN_VM_TOOLS)
+ gchar *toolsInstallDir;
+ #endif
++ int insertIndex = 0;
+
+ if (gFullPaths != NULL) {
+ return;
+ }
+
+ gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+- ARRAYSIZE(gKeyScripts));
++ ARRAYSIZE(gKeyScripts) -
(versionCheckEnabled ? 0u : 1u));
+ if (scriptInstallDir == NULL) {
+ #if defined(OPEN_VM_TOOLS)
+ scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -1288,6 +1297,15 @@ ConstructScriptPaths(void)
+ #endif
+ }
+ for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++ /*
++ * Skip adding if:
++ * 1. Version check is disabled, AND
++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++ */
++ if (!versionCheckEnabled &&
++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) ==
0) {
++ continue;
++ }
+ KeyNameValue tmp;
+ tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1295,7 +1313,8 @@ ConstructScriptPaths(void)
+ #else
+ tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS,
gKeyScripts[i].val);
+ #endif
+- g_array_insert_val(gFullPaths, i, tmp);
++ g_array_insert_val(gFullPaths, insertIndex, tmp);
++ insertIndex++;
+ }
+ }
+
+@@ -1361,14 +1380,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+ }
+ };
+ gboolean disabled;
++ Bool versionCheckEnabled;
+
+ regData.regs = VMTools_WrapArray(regs,
+ sizeof *regs,
+ ARRAYSIZE(regs));
++ versionCheckEnabled = VMTools_ConfigGetBoolean(
++ ctx->config,
++ CONFGROUPNAME_SERVICEDISCOVERY,
++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+ /*
+ * Append scripts execution command line
+ */
+- ConstructScriptPaths();
++ ConstructScriptPaths(versionCheckEnabled);
+
+ disabled =
+ VMTools_ConfigGetBoolean(ctx->config,
diff -Nru open-vm-tools-12.5.0/debian/patches/series
open-vm-tools-12.5.0/debian/patches/series
--- open-vm-tools-12.5.0/debian/patches/series 2025-05-12 13:17:50.000000000
+0000
+++ open-vm-tools-12.5.0/debian/patches/series 2025-09-30 18:12:54.000000000
+0000
@@ -1,3 +1,4 @@
use-debian-pam
debian/scsi-udev-rule
CVE-2025-22247-1230-1250-VGAuth-updates.patch
+CVE-2025-41244-1200-1225-SDMP.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
