XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
X-Debbugs-Cc:
open-vm-tools@packages.debian.org, Bernd Zeimetz <
bzed@debian.org>
Control: affects -1 + src:open-vm-tools
User:
release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package open-vm-tools
I fill this for bzed (Cc'ed), hope that's fine.
[ Reason ]
The update fixes a CVE.
[ Impact ]
Insecure file handling.
[ Tests ]
I did no extra tests, maybe bzed did.
[ Risks ]
Low, given that the patch is from upstream.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock open-vm-tools/2:12.5.0-2
diff -Nru open-vm-tools-12.5.0/debian/changelog open-vm-tools-12.5.0/debian/changelog
--- open-vm-tools-12.5.0/debian/changelog 2025-01-07 11:42:40.000000000 +0100
+++ open-vm-tools-12.5.0/debian/changelog 2025-05-12 15:17:50.000000000 +0200
@@ -1,3 +1,14 @@
+open-vm-tools (2:12.5.0-2) unstable; urgency=high
+
+ * [910f279] Fixing an insecure file handling vulnerability.
+ It allowed a malicious actor with non-administrative privileges
+ on a guest VM to tamper the local files to trigger insecure file
+ operations within that VM.
+ VMSA-2025-0007
+ CVE-2025-22247 (Closes: #1105159)
+
+ -- Bernd Zeimetz <
bzed@debian.org> Mon, 12 May 2025 15:17:50 +0200
+
open-vm-tools (2:12.5.0-1) unstable; urgency=medium
* Update to 12.5.0, full release notes can be found at
diff -Nru open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch
--- open-vm-tools-12.5.0/debian/patches/CVE-2025-22247-1230-1250-VGAuth-updates.patch 1970-01-01 01:00:00.000000000 +0100
+++