Version in base suite: 12.2.0-1+deb12u3 Base version: open-vm-tools_12.2.0-1+deb12u3 Target version: open-vm-tools_12.2.0-1+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/open-vm-tools/open-vm-tools_12.2.0-1+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/open-vm-tools/open-vm-tools_12.2.0-1+deb12u4.dsc .gitlab-ci.yml | 47 +++++++++++ changelog | 9 ++ patches/CVE-2025-41244-1200-1225-SDMP.patch | 119 ++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 176 insertions(+) diff -Nru open-vm-tools-12.2.0/debian/.gitlab-ci.yml open-vm-tools-12.2.0/debian/.gitlab-ci.yml --- open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2025-05-12 13:22:02.000000000 +0000 +++ open-vm-tools-12.2.0/debian/.gitlab-ci.yml 2025-09-30 19:11:28.000000000 +0000 @@ -12,3 +12,50 @@ SALSA_CI_DISABLE_REPROTEST: 1 SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0 SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0 + SALSA_CI_DISABLE_DEBDIFF: 0 + + +debdiff: + stage: test + image: $SALSA_CI_IMAGES_GENERIC_TESTS + rules: + - if: $SALSA_CI_ENABLE_DEBDIFF =~ /^(1|yes|true)$/ + - if: $SALSA_CI_DISABLE_ALL_TESTS =~ /^(1|yes|true)$/ + when: never + - if: $SALSA_CI_DISABLE_DEBDIFF !~ /^(1|yes|true)$/ + script: + - "sed -i '/^Types:/s,:.*,: deb deb-src,' /etc/apt/sources.list.d/debian.sources" + # this is fugly, but the build container is totally not happy about apt + # downloading sources otherwise. + - echo 'APT::Sandbox::User "root";' | tee -a /etc/apt/apt.conf.d/10sandbox + - apt-get update && eatmydata apt-get install -y devscripts + - PKG_NAME=$(dpkg-parsechangelog -S Source) + - NEW_DSC=$(find ${WORKING_DIR} -maxdepth 1 -name "*.dsc" | head -n 1) + - | + if [ -z "${PKG_NAME}" ] || [ ! -f "${NEW_DSC}" ]; then + echo "Error: Could not determine package name or find .changes file." + exit 1 + fi + - | + # Attempt to download the source package from the archive. + # If it fails, the package is likely new, and we create a note. + if apt-get -d source "${PKG_NAME}"; then + OLD_DSC=$(find . -maxdepth 1 -name "${PKG_NAME}_*.dsc" | head -n 1) + if [ -f "${OLD_DSC}" ]; then + debdiff "${OLD_DSC}" "${NEW_DSC}" > "${WORKING_DIR}/${PKG_NAME}.debdiff" || true + else + echo "Warning: apt-get source ran but no .dsc file was found." > "${WORKING_DIR}/${PKG_NAME}.debdiff" + fi + else + echo "Package not found in archive; assuming it is new." > "${WORKING_DIR}/${PKG_NAME}.debdiff" + fi + variables: + # We need the source checkout for dpkg-parsechangelog + GIT_STRATEGY: fetch + artifacts: + paths: + - ${WORKING_DIR}/*.debdiff + when: always + needs: + - job: build + artifacts: true diff -Nru open-vm-tools-12.2.0/debian/changelog open-vm-tools-12.2.0/debian/changelog --- open-vm-tools-12.2.0/debian/changelog 2025-05-12 13:22:02.000000000 +0000 +++ open-vm-tools-12.2.0/debian/changelog 2025-09-30 19:11:28.000000000 +0000 @@ -1,3 +1,12 @@ +open-vm-tools (2:12.2.0-1+deb12u4) bookworm; urgency=high + + * [e4ad4b0] Run debdiff in CI + * [039e4a0] Disable (default) the execution of the SDMP get-versions.sh script + (CVE-2025-41244) + Thanks to Salvatore Bonaccorso + + -- Bernd Zeimetz Tue, 30 Sep 2025 21:11:28 +0200 + open-vm-tools (2:12.2.0-1+deb12u3) bookworm-security; urgency=medium * [df2a118] Fixing an insecure file handling vulnerability. diff -Nru open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch --- open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 1970-01-01 00:00:00.000000000 +0000 +++ open-vm-tools-12.2.0/debian/patches/CVE-2025-41244-1200-1225-SDMP.patch 2025-09-30 19:11:28.000000000 +0000 @@ -0,0 +1,119 @@ +From b2f1ac61f426ba9be93a3751ead222fc8512509c Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Wed, 17 Sep 2025 22:18:49 -0700 +Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin + +Address CVE-2025-41244 + - Disable (default) the execution of the SDMP get-versions.sh script. + +With the Linux SDMP get-versions.sh script disabled, version information +of installed services will not be made available to VMware Aria. + +All files being updated should be consider to have the copyright +updated to: + + * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +The 2025 Broadcom copyright information update is not part of this +patch set to allow the patch to be easily applied to previous +open-vm-tools source releases. +--- + .../serviceDiscovery/serviceDiscovery.c | 35 ++++++++++++++++--- + 1 file changed, 30 insertions(+), 5 deletions(-) + +--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c ++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c +@@ -111,6 +111,12 @@ VM_EMBED_VERSION(VMTOOLSD_VERSION_STRING + #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100 + + /* ++ * Defines the configuration to enable/disable version obtaining logic ++ */ ++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled" ++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE ++ ++/* + * Defines the configuration to cache data in gdp plugin + */ + #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data" +@@ -1232,25 +1238,27 @@ ServiceDiscoveryServerShutdown(gpointer + * + * Construct final paths of the scripts that will be used for execution. + * +- ***************************************************************************** ++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS ++ * entry; FALSE to skip it (derived from config). ++ * ***************************************************************************** + */ + + static void +-ConstructScriptPaths(void) ++ConstructScriptPaths(Bool versionCheckEnabled) + { + int i; + gchar *scriptInstallDir; + #if !defined(OPEN_VM_TOOLS) + gchar *toolsInstallDir; + #endif ++ int insertIndex = 0; + + if (gFullPaths != NULL) { + return; + } + + gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue), +- ARRAYSIZE(gKeyScripts)); +- ++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u)); + #if defined(OPEN_VM_TOOLS) + scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS); + #else +@@ -1261,6 +1269,15 @@ ConstructScriptPaths(void) + #endif + + for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) { ++ /* ++ * Skip adding if: ++ * 1. Version check is disabled, AND ++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS ++ */ ++ if (!versionCheckEnabled && ++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) { ++ continue; ++ } + KeyNameValue tmp; + tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName); + #if defined(_WIN32) +@@ -1270,7 +1287,8 @@ ConstructScriptPaths(void) + tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, + gKeyScripts[i].val); + #endif +- g_array_insert_val(gFullPaths, i, tmp); ++ g_array_insert_val(gFullPaths, insertIndex, tmp); ++ insertIndex++; + } + + g_free(scriptInstallDir); +@@ -1338,14 +1356,20 @@ ToolsOnLoad(ToolsAppCtx *ctx) + } + }; + gboolean disabled; ++ Bool versionCheckEnabled; + + regData.regs = VMTools_WrapArray(regs, + sizeof *regs, + ARRAYSIZE(regs)); ++ versionCheckEnabled = VMTools_ConfigGetBoolean( ++ ctx->config, ++ CONFGROUPNAME_SERVICEDISCOVERY, ++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK, ++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK); + /* + * Append scripts absolute paths based on installation dirs. + */ +- ConstructScriptPaths(); ++ ConstructScriptPaths(versionCheckEnabled); + + disabled = + VMTools_ConfigGetBoolean(ctx->config, diff -Nru open-vm-tools-12.2.0/debian/patches/series open-vm-tools-12.2.0/debian/patches/series --- open-vm-tools-12.2.0/debian/patches/series 2025-05-12 13:22:02.000000000 +0000 +++ open-vm-tools-12.2.0/debian/patches/series 2025-09-30 19:11:28.000000000 +0000 @@ -6,3 +6,4 @@ CVE-2023-34059.patch CVE-2023-34058.patch CVE-2025-22247-1100-1225-VGAuth-updates.patch +CVE-2025-41244-1200-1225-SDMP.patch