open-vm-tools: fix CVE-2025-41244

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-41244 Upstream-patch: https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com> 2025-10-08 23:22:30 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-17 10:51:26 +0200
commit: 7eadf76d76291e34e32ba5922182ec44a7b6eaea (patch)
tree: 32d6b6830b8dc18521b31c01a927356610440e78 /meta-networking
parent: 93826fffc5afb1f62f680a78ab890d43d32889f2 (diff)
download: meta-openembedded-7eadf76d76291e34e32ba5922182ec44a7b6eaea.tar.gz
2 files changed, 125 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch
new file mode 100644
index 0000000000..ad1ff93365
--- /dev/null
+++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch
@@ -0,0 +1,124 @@
+From 7ed196cf01f8acd09011815a605b6733894b8aab Mon Sep 17 00:00:00 2001
+From: Kruti Pendharkar <kp025370@broadcom.com>
+Date: Mon, 29 Sep 2025 01:02:40 -0700
+Subject: [PATCH] Address CVE-2025-41244 - Disable (default) the execution of
+ the SDMP get-versions.sh script.
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria
+CVE: CVE-2025-41244
+Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab]
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ .../serviceDiscovery/serviceDiscovery.c       | 38 ++++++++++++++++---
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+index de8901741..329f87e15 100644
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -1,5 +1,6 @@
+ /*********************************************************
+- * Copyright (C) 2020 VMware, Inc. All rights reserved.
+ * Copyright (c) 2020-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -107,6 +108,12 @@ VM_EMBED_VERSION(VMTOOLSD_VERSION_STRING);
+  */
+ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
+/*
+ * Defines the configuration to enable/disable version obtaining logic
+ */
+#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
+#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
+
+ /*
+  * Maximum number of keys that can be deleted by one operation
+  */
+@@ -845,24 +852,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
+  *
+  * Construct final paths of the scripts that will be used for execution.
+  *
+- *****************************************************************************
+ * @param[in] versionCheckEnabled  TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
+ *                                 entry; FALSE to skip it (derived from config).
+ * *****************************************************************************
+  */
+ static void
+-ConstructScriptPaths(void)
+ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+    int i;
+    gchar *scriptInstallDir;
+ #if !defined(OPEN_VM_TOOLS)
+    gchar *toolsInstallDir;
+ #endif
+   int insertIndex = 0;
+    if (gFullPaths != NULL) {
+       return;
+    }
+    gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+-                                  ARRAYSIZE(gKeyScripts));
+                                  ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
+ #if defined(OPEN_VM_TOOLS)
+    scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -874,6 +884,15 @@ ConstructScriptPaths(void)
+ #endif
+    for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
+      /*
+       * Skip adding if:
+       * 1. Version check is disabled, AND
+       * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
+       */
+      if (!versionCheckEnabled &&
+         g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
+         continue;
+      }
+       KeyNameValue tmp;
+       tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -883,7 +902,8 @@ ConstructScriptPaths(void)
+       tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS,
+                                 gKeyScripts[i].val);
+ #endif
+-      g_array_insert_val(gFullPaths, i, tmp);
+      g_array_insert_val(gFullPaths, insertIndex, tmp);
+      insertIndex++;
+    }
+    g_free(scriptInstallDir);
+@@ -951,14 +971,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+          }
+       };
+       gboolean disabled;
+      Bool versionCheckEnabled;
+       regData.regs = VMTools_WrapArray(regs,
+                                        sizeof *regs,
+                                        ARRAYSIZE(regs));
+      versionCheckEnabled = VMTools_ConfigGetBoolean(
+         ctx->config,
+         CONFGROUPNAME_SERVICEDISCOVERY,
+         CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
+         SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+       /*
+        * Append scripts absolute paths based on installation dirs.
+        */
+-      ConstructScriptPaths();
+      ConstructScriptPaths(versionCheckEnabled);
+       disabled =
+          VMTools_ConfigGetBoolean(ctx->config,
+--
+2.40.0
diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb
index b58b3ddb90..0e671b6557 100644
--- a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb
+++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb
@@ -50,6 +50,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste
           file://CVE-2023-34058.patch;patchdir=.. \
           file://CVE-2023-34059.patch;patchdir=.. \
           file://CVE-2025-22247.patch;patchdir=.. \
+           file://CVE-2025-41244.patch;patchdir=.. \
           "
 UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"
author	Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>	2025-10-08 23:22:30 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-17 10:51:26 +0200
commit	7eadf76d76291e34e32ba5922182ec44a7b6eaea (patch)
tree	32d6b6830b8dc18521b31c01a927356610440e78 /meta-networking
parent	93826fffc5afb1f62f680a78ab890d43d32889f2 (diff)
download	meta-openembedded-7eadf76d76291e34e32ba5922182ec44a7b6eaea.tar.gz

diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch new file mode 100644 index 0000000000..ad1ff93365 --- /dev/null +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch
@@ -0,0 +1,124 @@
		1	From 7ed196cf01f8acd09011815a605b6733894b8aab Mon Sep 17 00:00:00 2001
		2	From: Kruti Pendharkar <kp025370@broadcom.com>
		3	Date: Mon, 29 Sep 2025 01:02:40 -0700
		4	Subject: [PATCH] Address CVE-2025-41244 - Disable (default) the execution of
		5	the SDMP get-versions.sh script.
		6
		7	With the Linux SDMP get-versions.sh script disabled, version information
		8	of installed services will not be made available to VMware Aria
		9
		10	CVE: CVE-2025-41244
		11
		12	Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab]
		13
		14	Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
		15	---
		16	.../serviceDiscovery/serviceDiscovery.c \| 38 ++++++++++++++++---
		17	1 file changed, 32 insertions(+), 6 deletions(-)
		18
		19	diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
		20	index de8901741..329f87e15 100644
		21	--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
		22	+++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
		23	@@ -1,5 +1,6 @@
		24	/*********************************************************
		25	- * Copyright (C) 2020 VMware, Inc. All rights reserved.
		26	+ * Copyright (c) 2020-2025 Broadcom. All Rights Reserved.
		27	+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
		28	*
		29	* This program is free software; you can redistribute it and/or modify it
		30	* under the terms of the GNU Lesser General Public License as published
		31	@@ -107,6 +108,12 @@ VM_EMBED_VERSION(VMTOOLSD_VERSION_STRING);
		32	*/
		33	#define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
		34
		35	+/*
		36	+ * Defines the configuration to enable/disable version obtaining logic
		37	+ */
		38	+#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
		39	+#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
		40	+
		41	/*
		42	* Maximum number of keys that can be deleted by one operation
		43	*/
		44	@@ -845,24 +852,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
		45	*
		46	* Construct final paths of the scripts that will be used for execution.
		47	*
		48	- *****************************************************************************
		49	+ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
		50	+ * entry; FALSE to skip it (derived from config).
		51	+ * *****************************************************************************
		52	*/
		53
		54	static void
		55	-ConstructScriptPaths(void)
		56	+ConstructScriptPaths(Bool versionCheckEnabled)
		57	{
		58	int i;
		59	gchar *scriptInstallDir;
		60	#if !defined(OPEN_VM_TOOLS)
		61	gchar *toolsInstallDir;
		62	#endif
		63	+ int insertIndex = 0;
		64
		65	if (gFullPaths != NULL) {
		66	return;
		67	}
		68
		69	gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
		70	- ARRAYSIZE(gKeyScripts));
		71	+ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
		72
		73	#if defined(OPEN_VM_TOOLS)
		74	scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
		75	@@ -874,6 +884,15 @@ ConstructScriptPaths(void)
		76	#endif
		77
		78	for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
		79	+ /*
		80	+ * Skip adding if:
		81	+ * 1. Version check is disabled, AND
		82	+ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
		83	+ */
		84	+ if (!versionCheckEnabled &&
		85	+ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
		86	+ continue;
		87	+ }
		88	KeyNameValue tmp;
		89	tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
		90	#if defined(_WIN32)
		91	@@ -883,7 +902,8 @@ ConstructScriptPaths(void)
		92	tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS,
		93	gKeyScripts[i].val);
		94	#endif
		95	- g_array_insert_val(gFullPaths, i, tmp);
		96	+ g_array_insert_val(gFullPaths, insertIndex, tmp);
		97	+ insertIndex++;
		98	}
		99
		100	g_free(scriptInstallDir);
		101	@@ -951,14 +971,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
		102	}
		103	};
		104	gboolean disabled;
		105	+ Bool versionCheckEnabled;
		106
		107	regData.regs = VMTools_WrapArray(regs,
		108	sizeof *regs,
		109	ARRAYSIZE(regs));
		110	+ versionCheckEnabled = VMTools_ConfigGetBoolean(
		111	+ ctx->config,
		112	+ CONFGROUPNAME_SERVICEDISCOVERY,
		113	+ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
		114	+ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
		115	/*
		116	* Append scripts absolute paths based on installation dirs.
		117	*/
		118	- ConstructScriptPaths();
		119	+ ConstructScriptPaths(versionCheckEnabled);
		120
		121	disabled =
		122	VMTools_ConfigGetBoolean(ctx->config,
		123	--
		124	2.40.0


diff --git a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb index b58b3ddb90..0e671b6557 100644 --- a/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb +++ b/meta-networking/recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb
@@ -50,6 +50,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste
50	file://CVE-2023-34058.patch;patchdir=.. \	50	file://CVE-2023-34058.patch;patchdir=.. \
51	file://CVE-2023-34059.patch;patchdir=.. \	51	file://CVE-2023-34059.patch;patchdir=.. \
52	file://CVE-2025-22247.patch;patchdir=.. \	52	file://CVE-2025-22247.patch;patchdir=.. \
		53	file://CVE-2025-41244.patch;patchdir=.. \
53	"	54	"
54		55
55	UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"	56	UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"