• Bug#1106219: unblock: open-vm-tools/2:12.5.0-2

    From Jochen Sprickerhof@21:1/5 to All on Wed May 21 15:00:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: open-vm-tools@packages.debian.org, Bernd Zeimetz <bzed@debian.org>
    Control: affects -1 + src:open-vm-tools
    User: release.debian.org@packages.debian.org
    Usertags: unblock

    Please unblock package open-vm-tools

    I fill this for bzed (Cc'ed), hope that's fine.

    [ Reason ]
    The update fixes a CVE.

    [ Impact ]
    Insecure file handling.

    [ Tests ]
    I did no extra tests, maybe bzed did.

    [ Risks ]
    Low, given that the patch is from upstream.

    [ Checklist ]
    [X] all changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in testing

    unblock open-vm-tools/2:12.5.0-2

    diff -Nru open-vm-tools-12.5.0/debian/changelog open-vm-tools-12.5.0/debian/changelog
    --- open-vm-tools-12.5.0/debian/changelog 2025-01-07 11:42:40.000000000 +0100
    +++ open-vm-tools-12.5.0/debian/changelog 2025-05-12 15:17:50.000000000 +0200
    @@ -1,3 +1,14 @@
    +open-vm-tools (2:12.5.0-2) unstable; urgency=high
    +
    + * [910f279] Fixing an insecure file handling vulnerability.
    + It allowed a malicious actor with non-administrative privileges
    + on a guest VM to tamper the local files to trigger insecure file
    + operations within that VM.
    + VMSA-2025-0007
    + CVE-2025-22247 (Closes: #1105159)
    +
    + -- Bernd Zeimetz <bzed@debian.org> Mon, 12 May 2025 15:17:50 +0200
    +
    open-vm-tools (2:12.5.0-1) unstable; urgency=medium

    * Update to 12.5.0, full release notes can be found at
    diff -Nru open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch
    --- open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch 1970-01-01 01:00:00.000000000 +0100
    +++
  • From Bernd Zeimetz@21:1/5 to All on Thu May 22 00:40:02 2025
    XPost: linux.debian.devel.release

    hi,

    I fill this for bzed (Cc'ed), hope that's fine.

    yes, thank you!


    [ Tests ]
    I did no extra tests, maybe bzed did.

    I have to trust upstream on that - we are not using that feature of
    vmware.

    --
    Bernd Zeimetz Debian GNU/Linux Developer
    http://bzed.de http://www.debian.org
    GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)