Bug#1105159: marked as done (open-vm-tools: insecure file handling vulnerability (CVE-2025-22247))

Debian Bug Tracking System Sat, 17 May 2025 04:03:20 -0700

Your message dated Sat, 17 May 2025 11:02:24 +0000
with message-id <e1ugfja-00bezx...@fasolo.debian.org>
and subject line Bug#1105159: fixed in open-vm-tools 2:12.2.0-1+deb12u3
has caused the Debian Bug report #1105159,
regarding open-vm-tools: insecure file handling vulnerability (CVE-2025-22247)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1105159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105159
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: open-vm-tools
Version: 2:11.2.5-2+deb11u3
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: t...@security.debian.org

Description
==============================================================
CVE-2025-22247: VMware Tools contains an insecure file handling
vulnerability. VMware has evaluated the severity of this issue to be in
the Moderate severity range with a maximum CVSSv3 base score of 6.1 -
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N.

Known Attack Vectors
==============================================================
A malicious actor with non-administrative privileges on a guest VM may
tamper the local files to trigger insecure file operations within that
VM.


https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

--- End Message ---

--- Begin Message ---

Source: open-vm-tools
Source-Version: 2:12.2.0-1+deb12u3
Done: Bernd Zeimetz <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <b...@debian.org> (supplier of updated open-vm-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 12 May 2025 15:22:02 +0200
Source: open-vm-tools
Architecture: source
Version: 2:12.2.0-1+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Bernd Zeimetz <b...@debian.org>
Changed-By: Bernd Zeimetz <b...@debian.org>
Closes: 1105159
Changes:
 open-vm-tools (2:12.2.0-1+deb12u3) bookworm-security; urgency=medium
 .
   * [df2a118] Fixing an insecure file handling vulnerability.
     It allowed a malicious actor with non-administrative privileges
     on a guest VM to tamper the local files to trigger insecure file
     operations within that VM.
     VMSA-2025-0007
     CVE-2025-22247 (Closes: #1105159)
Checksums-Sha1:
 b0342251cd174db37c7a102b641048b901b9f2a6 2944 
open-vm-tools_12.2.0-1+deb12u3.dsc
 71dea0e43a6cf83b641e1b4dcbfc0f6ee0643810 43032 
open-vm-tools_12.2.0-1+deb12u3.debian.tar.xz
 0add3968637fd19e5061779e7180469785cca178 6944 
open-vm-tools_12.2.0-1+deb12u3_source.buildinfo
Checksums-Sha256:
 75efef2fdc85daa518a30ce3e360dd60b2acea1274436553d950ec2cb28803b4 2944 
open-vm-tools_12.2.0-1+deb12u3.dsc
 735fa1e82427e782eb13600a2ea556a5fb314d15744bf309bd8c941890b3f603 43032 
open-vm-tools_12.2.0-1+deb12u3.debian.tar.xz
 fd10546b5ea80d87aa1779fc4a17d1b43acbf1bc15baba689b759f179ed69634 6944 
open-vm-tools_12.2.0-1+deb12u3_source.buildinfo
Files:
 da3e257120c4616cd239ff4548103441 2944 admin optional 
open-vm-tools_12.2.0-1+deb12u3.dsc
 bbf3880198351e14e36f75ee33329a92 43032 admin optional 
open-vm-tools_12.2.0-1+deb12u3.debian.tar.xz
 d85db2ba42cf1d79e3f8f451c035af49 6944 admin optional 
open-vm-tools_12.2.0-1+deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAmgieCQACgkQ6zYXGm/5
Q1+OWg//SKvEmSHGCBKp2lroZ7KcRUgVSq5jnwZ24TGFvYHZ92J2iQd3RhFr+0GB
LBzfKc10WnE/FQUKqrWFORlJL9dE6t/Liqmtun20/CVTMxVetz11d53FHkDnyJ6V
uSE/9XjAP4UO/wR+zLVXvDW/0zvueqV1lYIyusBgyzhE5Z74sPaayAidaLGtvFwv
ZIfCtl2gA82TDWo9JZi4ygcuXqugK7enSX/3C1q42LufrMw0n1ftwhcAXdR06Tqd
bVFarZqUEy5LE1pUlOcBpk4zins22nCWnQ7926rz6XOjJ+eFf7D6FcBYtdP7uxe+
KasH4eIGf+db/xomh4/UGmVn6mD6S1dE0A8g50lOpZUGReGP27LOcU1P/KSkHvfe
ednt8zUpAVAs13FIm1Y93sUxhpEFEN0kj6lTsaoERB7O271ZEghi8211ATkY46iV
t2jTahmYXePGWrvnDl6Ihe3Q7U6NVFhwywkv1S8RIZMNnMQfgeqi8ww+6uZNEAWg
4ckAyWuNDKgy7l1tSl/Cjup7tICR3TqMvBnWmtXgYET1h2cfpb4sF/QJW+63b8AJ
0JZcHTGfE7pkN9iwdvsFgfl0QXxHEYDlFmaIFtzj5XnHp7SqbucmdnSxd5bWP+L2
oe7ZMqUm2cT6WXdVKeBpfAxCyYMdfUDuhtR8PEqAYMkpm6jLBOI=
=I6D+
-----END PGP SIGNATURE-----

pgpaJAY51WQFR.pgp
Description: PGP signature

--- End Message ---

Bug#1105159: marked as done (open-vm-tools: insecure file handling vulnerability (CVE-2025-22247))

Reply via email to