commit: 789ff3784a3b36e308cfcee02d8db37a75d0bf54 Author: Cristian Othón Martínez Vera <cfuga <AT> cfuga <DOT> mx> AuthorDate: Wed Oct 8 19:36:21 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Oct 19 13:17:50 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=789ff378
app-emulation/open-vm-tools: fix CVE-2025-41244 The affected code isn't compiled in Gentoo, because it's disabled by default. It requires adding `--enable-servicediscovery` to `configure` in order to activate it, and there's currently no USE flag to control it. Bug: https://bugs.gentoo.org/963579 Signed-off-by: Cristian Othón Martínez Vera <cfuga <AT> cfuga.mx> Part-of: https://github.com/gentoo/gentoo/pull/43132 Closes: https://github.com/gentoo/gentoo/pull/43132 Signed-off-by: Sam James <sam <AT> gentoo.org> .../open-vm-tools-12.4.5-CVE-2025-41244.patch | 119 +++++++++++++++++++++ .../open-vm-tools/open-vm-tools-12.4.5-r2.ebuild | 1 + .../open-vm-tools/open-vm-tools-12.5.0-r4.ebuild | 1 + 3 files changed, 121 insertions(+) diff --git a/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch b/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch new file mode 100644 index 000000000000..ee60962463f3 --- /dev/null +++ b/app-emulation/open-vm-tools/files/open-vm-tools-12.4.5-CVE-2025-41244.patch @@ -0,0 +1,119 @@ +https://bugs.gentoo.org/963579 +https://github.com/vmware/open-vm-tools/tree/CVE-2025-41244.patch + +From 7b6f212c40f13060f97a715e838137cbab2f47ad Mon Sep 17 00:00:00 2001 +From: John Wolfe <[email protected]> +Date: Wed, 17 Sep 2025 21:51:54 -0700 +Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin + +Address CVE-2025-41244 + - Disable (default) the execution of the SDMP get-versions.sh script. + +With the Linux SDMP get-versions.sh script disabled, version information +of installed services will not be made available to VMware Aria. + +All files being updated should be consider to have the copyright +updated to: + + * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +The 2025 Broadcom copyright information update is not part of this +patch set to allow the patch to be easily applied to previous +open-vm-tools source releases. +--- a/services/plugins/serviceDiscovery/serviceDiscovery.c ++++ b/services/plugins/serviceDiscovery/serviceDiscovery.c +@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL; + #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data" + #define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE + ++/* ++ * Defines the configuration to enable/disable version obtaining logic ++ */ ++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled" ++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE ++ + /* + * Define the configuration to require at least one subscriber subscribed for + * the gdp message. +@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src, + * + * Construct final paths of the scripts that will be used for execution. + * ++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS ++ * entry; FALSE to skip it (derived from config). ++ * + ***************************************************************************** + */ + + static void +-ConstructScriptPaths(void) ++ConstructScriptPaths(Bool versionCheckEnabled) + { + int i; + #if !defined(OPEN_VM_TOOLS) + gchar *toolsInstallDir; + #endif ++ int insertIndex = 0; + + if (gFullPaths != NULL) { + return; + } + + gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue), +- ARRAYSIZE(gKeyScripts)); ++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u)); + if (scriptInstallDir == NULL) { + #if defined(OPEN_VM_TOOLS) + scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS); +@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void) + #endif + } + for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) { ++ /* ++ * Skip adding if: ++ * 1. Version check is disabled, AND ++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS ++ */ ++ if (!versionCheckEnabled && ++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) { ++ continue; ++ } + KeyNameValue tmp; + tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName); + #if defined(_WIN32) +@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void) + #else + tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val); + #endif +- g_array_insert_val(gFullPaths, i, tmp); ++ g_array_insert_val(gFullPaths, insertIndex, tmp); ++ insertIndex++; + } + } + +@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx) + } + }; + gboolean disabled; ++ Bool versionCheckEnabled; + + regData.regs = VMTools_WrapArray(regs, + sizeof *regs, + ARRAYSIZE(regs)); ++ versionCheckEnabled = VMTools_ConfigGetBoolean( ++ ctx->config, ++ CONFGROUPNAME_SERVICEDISCOVERY, ++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK, ++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK); + /* + * Append scripts execution command line + */ +- ConstructScriptPaths(); ++ ConstructScriptPaths(versionCheckEnabled); + + disabled = + VMTools_ConfigGetBoolean(ctx->config, +-- +2.47.3 + diff --git a/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild b/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild index 06f67d5e5170..0d86eef7415e 100644 --- a/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild +++ b/app-emulation/open-vm-tools/open-vm-tools-12.4.5-r2.ebuild @@ -64,6 +64,7 @@ PATCHES=( "${FILESDIR}"/${PN}-12.4.5-Werror.patch "${FILESDIR}"/${PN}-12.4.5-icu.patch "${FILESDIR}"/${PN}-12.4.5-xmlsec1-pc.patch + "${FILESDIR}"/${PN}-12.4.5-CVE-2025-41244.patch ) pkg_setup() { diff --git a/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild b/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild index 8314dbf17d64..a198d09f2706 100644 --- a/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild +++ b/app-emulation/open-vm-tools/open-vm-tools-12.5.0-r4.ebuild @@ -65,6 +65,7 @@ PATCHES=( "${FILESDIR}"/${PN}-12.4.5-icu.patch "${FILESDIR}"/${PN}-12.4.5-xmlsec1-pc.patch "${FILESDIR}"/${PN}-12.5.0-c23.patch + "${FILESDIR}"/${PN}-12.4.5-CVE-2025-41244.patch ) pkg_setup() {
