From 0b544f0f71ed5dbe936369e22bdae110bdbc3a83 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 6 Oct 2025 13:02:30 +0200
Subject: [PATCH] * Mon Oct 06 2025 Miroslav Rezanina <mrezanin@redhat.com> -
 13.0.0-2

- ovt-Address-CVE-2025-41244.patch [RHEL-117392]
- Resolves: RHEL-117392
  ([CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-9.8])
---
 open-vm-tools.spec               |   9 +-
 ovt-Address-CVE-2025-41244.patch | 136 +++++++++++++++++++++++++++++++
 2 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 ovt-Address-CVE-2025-41244.patch

diff --git a/open-vm-tools.spec b/open-vm-tools.spec
index 3d8898d..11f5aec 100644
--- a/open-vm-tools.spec
+++ b/open-vm-tools.spec
@@ -31,7 +31,7 @@
 
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@@ -51,6 +51,8 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 
 # Patches
 #Patch0:           <patch-name0>.patch
+# For RHEL-117392 - [CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-9.8]
+Patch1: ovt-Address-CVE-2025-41244.patch
 
 BuildRequires:    autoconf
 BuildRequires:    automake
@@ -420,6 +422,11 @@ fi
 %{_bindir}/vmware-vgauth-smoketest
 
 %changelog
+* Mon Oct 06 2025 Miroslav Rezanina <mrezanin@redhat.com> - 13.0.0-2
+- ovt-Address-CVE-2025-41244.patch [RHEL-117392]
+- Resolves: RHEL-117392
+  ([CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-9.8])
+
 * Fri Jul 25 2025 Lili Du <ldu@redhat.com> - 13.0.0-1
 - Rebase to 13.0.0 [RHEL-99158]
 - Resolves: RHEL-99158 
diff --git a/ovt-Address-CVE-2025-41244.patch b/ovt-Address-CVE-2025-41244.patch
new file mode 100644
index 0000000..359011c
--- /dev/null
+++ b/ovt-Address-CVE-2025-41244.patch
@@ -0,0 +1,136 @@
+From 15ab6365a98ed2c8615e2637c49858283d371ee5 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 1 Oct 2025 10:05:39 +0200
+Subject: [PATCH] Address CVE-2025-41244
+
+RH-Author: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-MergeRequest: 14: Address CVE-2025-41244
+RH-Jira: RHEL-117392
+RH-Acked-by: roverflow <None>
+RH-Acked-by: Maxim Levitsky <None>
+RH-Acked-by: Ani Sinha <anisinha@redhat.com>
+RH-Commit: [1/1] 3016e4f66aea79f5153ba837741f674994987ff6 (vkuznets/open-vm-tools)
+
+JIRA: https://issues.redhat.com/browse/RHEL-117392
+CVE: CVE-2025-41244
+
+commit 3ab0685c1cf7981c84898d546a73d6db6dcd3823
+Author: Kruti Pendharkar <kp025370@broadcom.com>
+Date:   Mon Sep 29 23:03:43 2025 -0700
+
+    Address CVE-2025-41244
+     - Disable (default) the execution of the SDMP get-versions.sh script.
+
+    With the Linux SDMP get-versions.sh script disabled, version information
+    of installed services will not be made available to VMware Aria
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+---
+ .../serviceDiscovery/serviceDiscovery.c       | 36 ++++++++++++++++---
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+index 0da598f1..5e9772e9 100644
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -1,5 +1,5 @@
+ /*********************************************************
+- * Copyright (c) 2020-2024 Broadcom. All Rights Reserved.
++ * Copyright (c) 2020-2025 Broadcom. All Rights Reserved.
+  * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL;
+ #define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
+ #define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE
+ 
++/*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
+ /*
+  * Define the configuration to require at least one subscriber subscribed for
+  * the gdp message.
+@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
+  *
+  * Construct final paths of the scripts that will be used for execution.
+  *
++ * @param[in] versionCheckEnabled  TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
++ *                                 entry; FALSE to skip it (derived from config).
++ *
+  *****************************************************************************
+  */
+ 
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+    int i;
+ #if !defined(OPEN_VM_TOOLS)
+    gchar *toolsInstallDir;
+ #endif
++   int insertIndex = 0;
+ 
+    if (gFullPaths != NULL) {
+       return;
+    }
+ 
+    gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+-                                  ARRAYSIZE(gKeyScripts));
++                                  ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
+    if (scriptInstallDir == NULL) {
+ #if defined(OPEN_VM_TOOLS)
+       scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void)
+ #endif
+    }
+    for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++      /*
++       * Skip adding if:
++       * 1. Version check is disabled, AND
++       * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++       */
++      if (!versionCheckEnabled &&
++         g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
++         continue;
++      }
+       KeyNameValue tmp;
+       tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void)
+ #else
+       tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
+ #endif
+-      g_array_insert_val(gFullPaths, i, tmp);
++      g_array_insert_val(gFullPaths, insertIndex, tmp);
++      insertIndex++;
+    }
+ }
+ 
+@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+          }
+       };
+       gboolean disabled;
++      Bool versionCheckEnabled;
+ 
+       regData.regs = VMTools_WrapArray(regs,
+                                        sizeof *regs,
+                                        ARRAYSIZE(regs));
++      versionCheckEnabled = VMTools_ConfigGetBoolean(
++         ctx->config,
++         CONFGROUPNAME_SERVICEDISCOVERY,
++         CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++         SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+       /*
+        * Append scripts execution command line
+        */
+-      ConstructScriptPaths();
++      ConstructScriptPaths(versionCheckEnabled);
+ 
+       disabled =
+          VMTools_ConfigGetBoolean(ctx->config,
+-- 
+2.47.3
+