Bug#1105159: marked as done (open-vm-tools: insecure file handling vulnerability (CVE-2025-22247))

Debian Bug Tracking System Mon, 12 May 2025 07:39:23 -0700

Your message dated Mon, 12 May 2025 14:35:13 +0000
with message-id <e1ueufn-005pfg...@fasolo.debian.org>
and subject line Bug#1105159: fixed in open-vm-tools 2:12.5.0-2
has caused the Debian Bug report #1105159,
regarding open-vm-tools: insecure file handling vulnerability (CVE-2025-22247)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1105159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105159
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: open-vm-tools
Version: 2:11.2.5-2+deb11u3
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: t...@security.debian.org

Description
==============================================================
CVE-2025-22247: VMware Tools contains an insecure file handling
vulnerability. VMware has evaluated the severity of this issue to be in
the Moderate severity range with a maximum CVSSv3 base score of 6.1 -
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N.

Known Attack Vectors
==============================================================
A malicious actor with non-administrative privileges on a guest VM may
tamper the local files to trigger insecure file operations within that
VM.


https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

--- End Message ---

--- Begin Message ---

Source: open-vm-tools
Source-Version: 2:12.5.0-2
Done: Bernd Zeimetz <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <b...@debian.org> (supplier of updated open-vm-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 12 May 2025 15:17:50 +0200
Source: open-vm-tools
Architecture: source
Version: 2:12.5.0-2
Distribution: unstable
Urgency: high
Maintainer: Bernd Zeimetz <b...@debian.org>
Changed-By: Bernd Zeimetz <b...@debian.org>
Closes: 1105159
Changes:
 open-vm-tools (2:12.5.0-2) unstable; urgency=high
 .
   * [910f279] Fixing an insecure file handling vulnerability.
     It allowed a malicious actor with non-administrative privileges
     on a guest VM to tamper the local files to trigger insecure file
     operations within that VM.
     VMSA-2025-0007
     CVE-2025-22247 (Closes: #1105159)
Checksums-Sha1:
 855595ac50b926d0002ccadc1b23a7b27342319b 2963 open-vm-tools_12.5.0-2.dsc
 28dff27f0242b32c5a9e89584696e55aec01abc5 38112 
open-vm-tools_12.5.0-2.debian.tar.xz
 ca99004e5c8cf37f4bf12c224e3b549decfeff94 6912 
open-vm-tools_12.5.0-2_source.buildinfo
Checksums-Sha256:
 995eddf9419dafb5d64867ddb0541d3f908af5516811f4919394ce29c5cc0639 2963 
open-vm-tools_12.5.0-2.dsc
 4f7f3fd058b66dadc3ecb8f6eb8223e0f13ed7da95eb61741f501b0888fcc2a4 38112 
open-vm-tools_12.5.0-2.debian.tar.xz
 ec604cb2a0340643f10cc6792390ce092f87f446e0a66052f259313ea9c25206 6912 
open-vm-tools_12.5.0-2_source.buildinfo
Files:
 9e1f27e56f6f9e60e56991aa568a28ba 2963 admin optional open-vm-tools_12.5.0-2.dsc
 1e5c66081a6813dd2d9125ce94ef820f 38112 admin optional 
open-vm-tools_12.5.0-2.debian.tar.xz
 c1a5c451a27074d8efb55da79a902e6f 6912 admin optional 
open-vm-tools_12.5.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmgh+x0ACgkQ6zYXGm/5
Q1+74w//cdhmMmyNbnguMjtjiXJjfkkAMurFdHjuXmsbIlMJf5R38tYV7gX6kTcW
MWV5oCwJaprx1MsoSxGHODHx6Gqkzm+Q8azXjm/e1R8sjXV11JdHaxYttrzPvWmj
cwFjWkGAiC/DeZNcxF1oAMyCNkjj17fUpKEDGsmUqOk90KAWuuik7KNA6EizqaCy
mYa4kekuvzuVItq+9t2omn2pIM/vSFczQMzx5gtPGlZznpPN6XIB9WMv9tPZTh7V
yjluMvnCDHzSaBpL2Ui6dxa699MAzDRLCvYFo1ULFCp6YtsMsLnnBhKtIyfreGSD
i3KpkdXctYxqnXVy6VokOjW61tnY3D3TH8aUyCx93YOXYsGDrsPF4b5uTuZqFqG7
3/1G54AjFIkNRta+QegepfRQW4H1XhbA5Dre9h1IT9no1/teegN0HtuTgJOlwqHS
Sgna5NTY7NzMCLAI9nDPSuarYjTWX2C6RBNYKKnz1du6FjD5tlEQBIQRxAB+6Pkt
pHb104fY7iYvyihYYH+kSDhZZD6mdEnkYLx2EprKq1PjoXD0vwjOm+8jzRrsg7C6
iorAS3pvFrifBnjEqa6ssbd62bFTfPkonNJtY6sygxflQlHiviIfoOCH3fpFFLIp
NN66H3WvLnmqRnZrUxdfS4M8l4OBn1pDaEsP7CcfPugMscPtoz8=
=wOld
-----END PGP SIGNATURE-----

pgpYs7QKsLozJ.pgp
Description: PGP signature

--- End Message ---

Bug#1105159: marked as done (open-vm-tools: insecure file handling vulnerability (CVE-2025-22247))

Reply via email to