diff -pruN 2:13.0.0-2/debian/changelog 2:13.0.0-2ubuntu1/debian/changelog --- 2:13.0.0-2/debian/changelog 2025-08-18 08:49:22.000000000 +0000 +++ 2:13.0.0-2ubuntu1/debian/changelog 2025-09-29 22:11:42.000000000 +0000 @@ -1,3 +1,13 @@ +open-vm-tools (2:13.0.0-2ubuntu1) questing; urgency=medium + + * SECURITY UPDATE: local privilege escalation in Service Discovery Plugin + - debian/patches/CVE-2025-41244.patch: disable by default the execution + of the SDMP get-versions.sh script in + open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c. + - CVE-2025-41244 + + -- Marc Deslauriers Mon, 29 Sep 2025 18:11:42 -0400 + open-vm-tools (2:13.0.0-2) unstable; urgency=medium * Upload to unstable. diff -pruN 2:13.0.0-2/debian/control 2:13.0.0-2ubuntu1/debian/control --- 2:13.0.0-2/debian/control 2025-08-18 08:49:22.000000000 +0000 +++ 2:13.0.0-2ubuntu1/debian/control 2025-09-29 22:11:42.000000000 +0000 @@ -1,7 +1,8 @@ Source: open-vm-tools Section: admin Priority: optional -Maintainer: Bernd Zeimetz +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Bernd Zeimetz Uploaders: Christian Ehrhardt Build-Depends: debhelper-compat (= 13), dh-sequence-movetousr, diff -pruN 2:13.0.0-2/debian/patches/CVE-2025-41244.patch 2:13.0.0-2ubuntu1/debian/patches/CVE-2025-41244.patch --- 2:13.0.0-2/debian/patches/CVE-2025-41244.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:13.0.0-2ubuntu1/debian/patches/CVE-2025-41244.patch 2025-09-29 22:11:19.000000000 +0000 @@ -0,0 +1,122 @@ +From 7b6f212c40f13060f97a715e838137cbab2f47ad Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Wed, 17 Sep 2025 21:51:54 -0700 +Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin + +Address CVE-2025-41244 + - Disable (default) the execution of the SDMP get-versions.sh script. + +With the Linux SDMP get-versions.sh script disabled, version information +of installed services will not be made available to VMware Aria. + +All files being updated should be consider to have the copyright +updated to: + + * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +The 2025 Broadcom copyright information update is not part of this +patch set to allow the patch to be easily applied to previous +open-vm-tools source releases. +--- + .../serviceDiscovery/serviceDiscovery.c | 34 ++++++++++++++++--- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c +index 0da598f13..fdd81f82b 100644 +--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c ++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c +@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL; + #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data" + #define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE + ++/* ++ * Defines the configuration to enable/disable version obtaining logic ++ */ ++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled" ++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE ++ + /* + * Define the configuration to require at least one subscriber subscribed for + * the gdp message. +@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src, + * + * Construct final paths of the scripts that will be used for execution. + * ++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS ++ * entry; FALSE to skip it (derived from config). ++ * + ***************************************************************************** + */ + + static void +-ConstructScriptPaths(void) ++ConstructScriptPaths(Bool versionCheckEnabled) + { + int i; + #if !defined(OPEN_VM_TOOLS) + gchar *toolsInstallDir; + #endif ++ int insertIndex = 0; + + if (gFullPaths != NULL) { + return; + } + + gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue), +- ARRAYSIZE(gKeyScripts)); ++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u)); + if (scriptInstallDir == NULL) { + #if defined(OPEN_VM_TOOLS) + scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS); +@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void) + #endif + } + for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) { ++ /* ++ * Skip adding if: ++ * 1. Version check is disabled, AND ++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS ++ */ ++ if (!versionCheckEnabled && ++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) { ++ continue; ++ } + KeyNameValue tmp; + tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName); + #if defined(_WIN32) +@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void) + #else + tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val); + #endif +- g_array_insert_val(gFullPaths, i, tmp); ++ g_array_insert_val(gFullPaths, insertIndex, tmp); ++ insertIndex++; + } + } + +@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx) + } + }; + gboolean disabled; ++ Bool versionCheckEnabled; + + regData.regs = VMTools_WrapArray(regs, + sizeof *regs, + ARRAYSIZE(regs)); ++ versionCheckEnabled = VMTools_ConfigGetBoolean( ++ ctx->config, ++ CONFGROUPNAME_SERVICEDISCOVERY, ++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK, ++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK); + /* + * Append scripts execution command line + */ +- ConstructScriptPaths(); ++ ConstructScriptPaths(versionCheckEnabled); + + disabled = + VMTools_ConfigGetBoolean(ctx->config, +-- +2.47.3 + diff -pruN 2:13.0.0-2/debian/patches/series 2:13.0.0-2ubuntu1/debian/patches/series --- 2:13.0.0-2/debian/patches/series 2025-08-18 08:49:22.000000000 +0000 +++ 2:13.0.0-2ubuntu1/debian/patches/series 2025-09-29 22:11:37.000000000 +0000 @@ -1,2 +1,3 @@ use-debian-pam debian/scsi-udev-rule +CVE-2025-41244.patch