commit:     789ff3784a3b36e308cfcee02d8db37a75d0bf54
Author:     Cristian Othón Martínez Vera <cfuga <AT> cfuga <DOT> mx>
AuthorDate: Wed Oct  8 19:36:21 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Oct 19 13:17:50 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=789ff378

app-emulation/open-vm-tools: fix CVE-2025-41244

The affected code isn't compiled in Gentoo, because it's disabled by default.
It requires adding `--enable-servicediscovery` to `configure` in order to
activate it, and there's currently no USE flag to control it.

Bug: https://bugs.gentoo.org/963579
Signed-off-by: Cristian Othón Martínez Vera <cfuga <AT> cfuga.mx>
Part-of: https://github.com/gentoo/gentoo/pull/43132
Closes: https://github.com/gentoo/gentoo/pull/43132
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../open-vm-tools-12.4.5-CVE-2025-41244.patch      | 119 +++++++++++++++++++++
 .../open-vm-tools/open-vm-tools-12.4.5-r2.ebuild   |   1 +
 .../open-vm-tools/open-vm-tools-12.5.0-r4.ebuild   |   1 +
 3 files changed, 121 insertions(+)

diff --git 
a/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch 
b/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch
new file mode 100644
index 000000000000..ee60962463f3
--- /dev/null
+++ 
b/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch
@@ -0,0 +1,119 @@
+https://bugs.gentoo.org/963579
+https://github.com/vmware/open-vm-tools/tree/CVE-2025-41244.patch
+
+From 7b6f212c40f13060f97a715e838137cbab2f47ad Mon Sep 17 00:00:00 2001
+From: John Wolfe <[email protected]>
+Date: Wed, 17 Sep 2025 21:51:54 -0700
+Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
+
+Address CVE-2025-41244
+ - Disable (default) the execution of the SDMP get-versions.sh script.
+
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria.
+
+All files being updated should be consider to have the copyright
+updated to:
+
+ * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+The 2025 Broadcom copyright information update is not part of this
+patch set to allow the patch to be easily applied to previous
+open-vm-tools source releases.
+--- a/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL;
+ #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
+ #define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE
+ 
++/*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
+ /*
+  * Define the configuration to require at least one subscriber subscribed for
+  * the gdp message.
+@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
+  *
+  * Construct final paths of the scripts that will be used for execution.
+  *
++ * @param[in] versionCheckEnabled  TRUE to include the 
SERVICE_DISCOVERY_KEY_VERSIONS
++ *                                 entry; FALSE to skip it (derived from 
config).
++ *
+  *****************************************************************************
+  */
+ 
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+    int i;
+ #if !defined(OPEN_VM_TOOLS)
+    gchar *toolsInstallDir;
+ #endif
++   int insertIndex = 0;
+ 
+    if (gFullPaths != NULL) {
+       return;
+    }
+ 
+    gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+-                                  ARRAYSIZE(gKeyScripts));
++                                  ARRAYSIZE(gKeyScripts) - 
(versionCheckEnabled ? 0u : 1u));
+    if (scriptInstallDir == NULL) {
+ #if defined(OPEN_VM_TOOLS)
+       scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void)
+ #endif
+    }
+    for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++      /*
++       * Skip adding if:
++       * 1. Version check is disabled, AND
++       * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++       */
++      if (!versionCheckEnabled &&
++         g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 
0) {
++         continue;
++      }
+       KeyNameValue tmp;
+       tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void)
+ #else
+       tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, 
gKeyScripts[i].val);
+ #endif
+-      g_array_insert_val(gFullPaths, i, tmp);
++      g_array_insert_val(gFullPaths, insertIndex, tmp);
++      insertIndex++;
+    }
+ }
+ 
+@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+          }
+       };
+       gboolean disabled;
++      Bool versionCheckEnabled;
+ 
+       regData.regs = VMTools_WrapArray(regs,
+                                        sizeof *regs,
+                                        ARRAYSIZE(regs));
++      versionCheckEnabled = VMTools_ConfigGetBoolean(
++         ctx->config,
++         CONFGROUPNAME_SERVICEDISCOVERY,
++         CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++         SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+       /*
+        * Append scripts execution command line
+        */
+-      ConstructScriptPaths();
++      ConstructScriptPaths(versionCheckEnabled);
+ 
+       disabled =
+          VMTools_ConfigGetBoolean(ctx->config,
+-- 
+2.47.3
+

diff --git a/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild 
b/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild
index 06f67d5e5170..0d86eef7415e 100644
--- a/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild
+++ b/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild
@@ -64,6 +64,7 @@ PATCHES=(
        "${FILESDIR}"/${PN}-12.4.5-Werror.patch
        "${FILESDIR}"/${PN}-12.4.5-icu.patch
        "${FILESDIR}"/${PN}-12.4.5-xmlsec1-pc.patch
+       "${FILESDIR}"/${PN}-12.4.5-CVE-2025-41244.patch
 )
 
 pkg_setup() {

diff --git a/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild 
b/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild
index 8314dbf17d64..a198d09f2706 100644
--- a/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild
+++ b/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild
@@ -65,6 +65,7 @@ PATCHES=(
        "${FILESDIR}"/${PN}-12.4.5-icu.patch
        "${FILESDIR}"/${PN}-12.4.5-xmlsec1-pc.patch
        "${FILESDIR}"/${PN}-12.5.0-c23.patch
+       "${FILESDIR}"/${PN}-12.4.5-CVE-2025-41244.patch
 )
 
 pkg_setup() {

Reply via email to