add missing patch file

vmware-user-suid-wrapperx on Linux
- Don't accept tokens with unrelated certs

.gitignore

@@ -1 +1 @@
-SOURCES/open-vm-tools-12.2.5-21855600.tar.gz
+SOURCES/open-vm-tools-12.3.5-22544099.tar.gz

.open-vm-tools.metadata

@@ -1 +0,0 @@
-6bc6e77418cc4a039063a7ca40859535b9bbb339 SOURCES/open-vm-tools-12.2.5-21855600.tar.gz

SOURCES/0000-open-vm-tools-cve-2025-22247.patch

@@ -0,0 +1,374 @@
+From 7874e572b5aac5a418551dc5e3935c1e74bf6f1f Mon Sep 17 00:00:00 2001
+From: John Wolfe <john.wolfe@broadcom.com>
+Date: Mon, 5 May 2025 15:58:03 -0700
+Subject: [PATCH] Validate user names and file paths
+
+Prevent usage of illegal characters in user names and file paths.
+Also, disallow unexpected symlinks in file paths.
+
+This patch contains changes to common source files not applicable
+to open-vm-tools.
+
+All files being updated should be consider to have the copyright to
+be updated to:
+
+ * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+The 2025 Broadcom copyright information update is not part of this
+patch set to allow the patch to be easily applied to previous
+open-vm-tools source releases.
+---
+ open-vm-tools/vgauth/common/VGAuthUtil.c      | 33 +++++++++
+ open-vm-tools/vgauth/common/VGAuthUtil.h      |  2 +
+ open-vm-tools/vgauth/common/prefs.h           |  3 +
+ open-vm-tools/vgauth/common/usercheck.c       | 23 +++++-
+ open-vm-tools/vgauth/serviceImpl/alias.c      | 74 ++++++++++++++++++-
+ open-vm-tools/vgauth/serviceImpl/service.c    | 27 +++++++
+ open-vm-tools/vgauth/serviceImpl/serviceInt.h |  1 +
+ 7 files changed, 160 insertions(+), 3 deletions(-)
+
+diff --git a/open-vm-tools/vgauth/common/VGAuthUtil.c b/open-vm-tools/vgauth/common/VGAuthUtil.c
+index 76383c462..9c2adb8d0 100644
+--- a/open-vm-tools/vgauth/common/VGAuthUtil.c
++++ b/open-vm-tools/vgauth/common/VGAuthUtil.c
+@@ -309,3 +309,36 @@ Util_Assert(const char *cond,
+ #endif
+    g_assert(0);
+ }
++
++
++/*
++ ******************************************************************************
++ * Util_Utf8CaseCmp --                                                   */ /**
++ *
++ * Case insensitive comparison for utf8 strings which can have non-ascii
++ * characters.
++ *
++ * @param[in]  str1      Null terminated utf8 string.
++ * @param[in]  str2      Null terminated utf8 string.
++ *
++ ******************************************************************************
++ */
++
++int
++Util_Utf8CaseCmp(const gchar *str1,
++                 const gchar *str2)
++{
++   int ret;
++   gchar *str1Case;
++   gchar *str2Case;
++
++   str1Case = g_utf8_casefold(str1, -1);
++   str2Case = g_utf8_casefold(str2, -1);
++
++   ret = g_strcmp0(str1Case, str2Case);
++
++   g_free(str1Case);
++   g_free(str2Case);
++
++   return ret;
++}
+diff --git a/open-vm-tools/vgauth/common/VGAuthUtil.h b/open-vm-tools/vgauth/common/VGAuthUtil.h
+index f7f3aa216..ef32a91da 100644
+--- a/open-vm-tools/vgauth/common/VGAuthUtil.h
++++ b/open-vm-tools/vgauth/common/VGAuthUtil.h
+@@ -105,4 +105,6 @@ gboolean Util_CheckExpiration(const GTimeVal *start, unsigned int duration);
+
+ void Util_Assert(const char *cond, const char *file, int lineNum);
+
++int Util_Utf8CaseCmp(const gchar *str1, const gchar *str2);
++
+ #endif
+diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
+index 6c58f3f4b..3299eb26c 100644
+--- a/open-vm-tools/vgauth/common/prefs.h
++++ b/open-vm-tools/vgauth/common/prefs.h
+@@ -167,6 +167,9 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
+ /** Where the localized version of the messages were installed. */
+ #define VGAUTH_PREF_LOCALIZATION_DIR        "msgCatalog"
+
++/** If symlinks or junctions are allowed in alias store file path */
++#define VGAUTH_PREF_ALLOW_SYMLINKS  "allowSymlinks"
++
+ /*
+  * Pref values
+  */
+diff --git a/open-vm-tools/vgauth/common/usercheck.c b/open-vm-tools/vgauth/common/usercheck.c
+index 3beede2e8..340aa0411 100644
+--- a/open-vm-tools/vgauth/common/usercheck.c
++++ b/open-vm-tools/vgauth/common/usercheck.c
+@@ -78,6 +78,8 @@
+  * Solaris as well, but that path is untested.
+  */
+
++#define MAX_USER_NAME_LEN 256
++
+ /*
+  * A single retry works for the LDAP case, but try more often in case NIS
+  * or something else has a related issue.  Note that a bad username/uid won't
+@@ -354,12 +356,29 @@ Usercheck_UsernameIsLegal(const gchar *userName)
+     * restricted list for local usernames.
+     */
+    size_t len;
+-   char *illegalChars = "<>/";
++   size_t i = 0;
++   int backSlashCnt = 0;
++   /*
++    * As user names are used to generate its alias store file name/path, it
++    * should not contain path traversal characters ('/' and '\').
++    */
++   char *illegalChars = "<>/\\";
+
+    len = strlen(userName);
+-   if (strcspn(userName, illegalChars) != len) {
++   if (len > MAX_USER_NAME_LEN) {
+       return FALSE;
+    }
++
++   while ((i += strcspn(userName + i, illegalChars)) < len) {
++      /*
++       * One backward slash is allowed for domain\username separator.
++       */
++      if (userName[i] != '\\' || ++backSlashCnt > 1) {
++         return FALSE;
++      }
++      ++i;
++   }
++
+    return TRUE;
+ }
+
+diff --git a/open-vm-tools/vgauth/serviceImpl/alias.c b/open-vm-tools/vgauth/serviceImpl/alias.c
+index 4e170202c..c7040ebff 100644
+--- a/open-vm-tools/vgauth/serviceImpl/alias.c
++++ b/open-vm-tools/vgauth/serviceImpl/alias.c
+@@ -41,6 +41,7 @@
+ #include "certverify.h"
+ #include "VGAuthProto.h"
+ #include "vmxlog.h"
++#include "VGAuthUtil.h"
+
+ // puts the identity store in an easy to find place
+ #undef WIN_TEST_MODE
+@@ -66,6 +67,7 @@
+ #define ALIASSTORE_FILE_PREFIX   "user-"
+ #define ALIASSTORE_FILE_SUFFIX   ".xml"
+
++static gboolean allowSymlinks = FALSE;
+ static gchar *aliasStoreRootDir = DEFAULT_ALIASSTORE_ROOT_DIR;
+
+ #ifdef _WIN32
+@@ -252,6 +254,12 @@ mapping file layout:
+
+  */
+
++#ifdef _WIN32
++#define ISPATHSEP(c)  ((c) == '\\' || (c) == '/')
++#else
++#define ISPATHSEP(c)  ((c) == '/')
++#endif
++
+
+ /*
+  ******************************************************************************
+@@ -466,6 +474,7 @@ ServiceLoadFileContentsWin(const gchar *fileName,
+    gunichar2 *fileNameW = NULL;
+    BOOL ok;
+    DWORD bytesRead;
++   gchar *realPath = NULL;
+
+    *fileSize = 0;
+    *contents = NULL;
+@@ -622,6 +631,22 @@ ServiceLoadFileContentsWin(const gchar *fileName,
+       goto done;
+    }
+
++   if (!allowSymlinks) {
++      /*
++       * Check if fileName is real path.
++       */
++      if ((realPath = ServiceFileGetPathByHandle(hFile)) == NULL) {
++         err = VGAUTH_E_FAIL;
++         goto done;
++      }
++      if (Util_Utf8CaseCmp(realPath, fileName) != 0) {
++         Warning("%s: Real path (%s) is not same as file path (%s)\n",
++                 __FUNCTION__, realPath, fileName);
++         err = VGAUTH_E_FAIL;
++         goto done;
++      }
++   }
++
+    /*
+     * Now finally read the contents.
+     */
+@@ -650,6 +675,7 @@ done:
+       CloseHandle(hFile);
+    }
+    g_free(fileNameW);
++   g_free(realPath);
+
+    return err;
+ }
+@@ -672,6 +698,7 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
+    gchar *buf;
+    gchar *bp;
+    int fd = -1;
++   gchar realPath[PATH_MAX] = { 0 };
+
+    *fileSize = 0;
+    *contents = NULL;
+@@ -817,6 +844,23 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
+       goto done;
+    }
+
++   if (!allowSymlinks) {
++      /*
++       * Check if fileName is real path.
++       */
++      if (realpath(fileName, realPath) == NULL) {
++         Warning("%s: realpath() failed. errno (%d)\n", __FUNCTION__, errno);
++         err = VGAUTH_E_FAIL;
++         goto done;
++      }
++      if (g_strcmp0(realPath, fileName) != 0) {
++         Warning("%s: Real path (%s) is not same as file path (%s)\n",
++                 __FUNCTION__, realPath, fileName);
++         err = VGAUTH_E_FAIL;
++         goto done;
++      }
++   }
++
+    /*
+     * All confidence checks passed; read the bits.
+     */
+@@ -2803,8 +2847,13 @@ ServiceAliasRemoveAlias(const gchar *reqUserName,
+
+    /*
+     * We don't verify the user exists in a Remove operation, to allow
+-    * cleanup of deleted user's stores.
++    * cleanup of deleted user's stores, but we do check whether the
++    * user name is legal or not.
+     */
++   if (!Usercheck_UsernameIsLegal(userName)) {
++      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
++      return VGAUTH_E_FAIL;
++   }
+
+    if (!CertVerify_IsWellFormedPEMCert(pemCert)) {
+       return VGAUTH_E_INVALID_CERTIFICATE;
+@@ -3036,6 +3085,16 @@ ServiceAliasQueryAliases(const gchar *userName,
+    }
+ #endif
+
++   /*
++    * We don't verify the user exists in a Query operation to allow
++    * cleaning up after a deleted user, but we do check whether the
++    * user name is legal or not.
++    */
++   if (!Usercheck_UsernameIsLegal(userName)) {
++      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
++      return VGAUTH_E_FAIL;
++   }
++
+    err = AliasLoadAliases(userName, num, aList);
+    if (VGAUTH_E_OK != err) {
+       Warning("%s: failed to load Aliases for '%s'\n", __FUNCTION__, userName);
+@@ -3294,6 +3353,7 @@ ServiceAliasInitAliasStore(void)
+    VGAuthError err = VGAUTH_E_OK;
+    gboolean saveBadDir = FALSE;
+    char *defaultDir = NULL;
++   size_t len;
+
+ #ifdef _WIN32
+    {
+@@ -3324,6 +3384,10 @@ ServiceAliasInitAliasStore(void)
+    defaultDir = g_strdup(DEFAULT_ALIASSTORE_ROOT_DIR);
+ #endif
+
++   allowSymlinks = Pref_GetBool(gPrefs,
++                                VGAUTH_PREF_ALLOW_SYMLINKS,
++                                VGAUTH_PREF_GROUP_NAME_SERVICE,
++                                FALSE);
+    /*
+     * Find the alias store directory.  This allows an installer to put
+     * it somewhere else if necessary.
+@@ -3337,6 +3401,14 @@ ServiceAliasInitAliasStore(void)
+                                       VGAUTH_PREF_GROUP_NAME_SERVICE,
+                                       defaultDir);
+
++   /*
++    * Remove the trailing separator if any from aliasStoreRootDir path.
++    */
++   len = strlen(aliasStoreRootDir);
++   if (ISPATHSEP(aliasStoreRootDir[len - 1])) {
++      aliasStoreRootDir[len - 1] = '\0';
++   }
++
+    Log("Using '%s' for alias store root directory\n", aliasStoreRootDir);
+
+    g_free(defaultDir);
+diff --git a/open-vm-tools/vgauth/serviceImpl/service.c b/open-vm-tools/vgauth/serviceImpl/service.c
+index d4716526c..e053ed0fa 100644
+--- a/open-vm-tools/vgauth/serviceImpl/service.c
++++ b/open-vm-tools/vgauth/serviceImpl/service.c
+@@ -28,6 +28,7 @@
+ #include "VGAuthUtil.h"
+ #ifdef _WIN32
+ #include "winUtil.h"
++#include <glib.h>
+ #endif
+
+ static ServiceStartListeningForIOFunc startListeningIOFunc = NULL;
+@@ -283,9 +284,35 @@ static gchar *
+ ServiceUserNameToPipeName(const char *userName)
+ {
+    gchar *escapedName = ServiceEncodeUserName(userName);
++#ifdef _WIN32
++   /*
++    * Adding below pragma only in windows to suppress the compile time warning
++    * about unavailability of g_uuid_string_random() since compiler flag
++    * GLIB_VERSION_MAX_ALLOWED is defined to GLIB_VERSION_2_34.
++    * TODO: Remove below pragma when GLIB_VERSION_MAX_ALLOWED is bumped up to
++    * or greater than GLIB_VERSION_2_52.
++    */
++#pragma warning(suppress : 4996)
++   gchar *uuidStr = g_uuid_string_random();
++   /*
++    * Add a unique suffix to avoid a name collision with an existing named pipe
++    * created by someone else (intentionally or by accident).
++    * This is not needed for Linux; name collisions on sockets are already
++    * avoided there since (1) file system paths to VGAuthService sockets are in
++    * a directory that is writable only by root and (2) VGAuthService unlinks a
++    * socket path before binding it to a newly created socket.
++    */
++   gchar *pipeName = g_strdup_printf("%s-%s-%s",
++                                     SERVICE_PUBLIC_PIPE_NAME,
++                                     escapedName,
++                                     uuidStr);
++
++   g_free(uuidStr);
++#else
+    gchar *pipeName = g_strdup_printf("%s-%s",
+                                      SERVICE_PUBLIC_PIPE_NAME,
+                                      escapedName);
++#endif
+
+    g_free(escapedName);
+    return pipeName;
+diff --git a/open-vm-tools/vgauth/serviceImpl/serviceInt.h b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
+index 5f420192b..f4f88547d 100644
+--- a/open-vm-tools/vgauth/serviceImpl/serviceInt.h
++++ b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
+@@ -441,6 +441,7 @@ VGAuthError ServiceFileVerifyAdminGroupOwnedByHandle(const HANDLE hFile);
+ VGAuthError ServiceFileVerifyEveryoneReadableByHandle(const HANDLE hFile);
+ VGAuthError ServiceFileVerifyUserAccessByHandle(const HANDLE hFile,
+                                                 const char *userName);
++gchar *ServiceFileGetPathByHandle(HANDLE hFile);
+ #else
+ VGAuthError ServiceFileVerifyFileOwnerAndPerms(const char *fileName,
+                                                const char *userName,
+--
+2.43.5
+

SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch

@@ -1,424 +0,0 @@
-From 4fb21bd75fd5a4eceed67a8050436b47750ca716 Mon Sep 17 00:00:00 2001
-From: Katy Feng <fkaty@vmware.com>
-Date: Tue, 22 Aug 2023 11:11:42 -0700
-Subject: [PATCH] Provide alternate method to allow (expected) pre-frozen
- filesystems
-
-RH-Author: Ani Sinha <None>
-RH-MergeRequest: 30: Provide alternate method to allow (expected) pre-frozen filesystems when taking a quiesced snapshot.
-RH-Jira: RHEL-7012
-RH-Commit: [1/1] 07570fcdc1fd697d54268e530fc64162eb2a0bdb
-
-Effective with open-vm-tools 12.2.0, Linux quiesced snapshots will fail if
-any filesystem(s) have been prefrozen by other than the vmtoolsd process.
-This has been done to assure that filesystems are inactive while the
-snapshots are being taken. Some existing prefreeze scripts may be freezing
-some filesystem(s). In these cases, the vmtoolsd process must be informed of
-anticipated pre-frozen filesystems by providing an "excludedFileSystem" list in
-the [vmbackup] section of the tools.conf file.
-
-This change provides a new switch in the tools.conf file to allow pre-frozen
-filesystems to be encountered and accepted when doing a quiesced snapshot
-operation. With the default value of "false", the "ignoreFrozenFileSystems"
-can be configured with a setting of "true" to notify the quiesced snapshot
-operation that pre-frozen filesystems are allowed.
-
-(cherry picked from commit 60c3a80ddc2b400366ed05169e16a6bed6501da2)
-Signed-off-by: Ani Sinha <anisinha@redhat.com>
----
- open-vm-tools/lib/include/syncDriver.h        |  5 ++--
- open-vm-tools/lib/syncDriver/nullDriver.c     | 10 +++++---
- open-vm-tools/lib/syncDriver/syncDriverInt.h  | 14 +++++++----
- .../lib/syncDriver/syncDriverLinux.c          | 25 ++++++++++++++-----
- .../lib/syncDriver/syncDriverPosix.c          |  7 +++---
- open-vm-tools/lib/syncDriver/vmSyncDriver.c   | 10 +++++---
- .../services/plugins/vix/foundryToolsDaemon.c | 14 +++++++++--
- .../services/plugins/vmbackup/stateMachine.c  |  8 ++++--
- .../services/plugins/vmbackup/syncDriverOps.c |  5 ++--
- .../services/plugins/vmbackup/vmBackupInt.h   | 19 ++++++++------
- open-vm-tools/tools.conf                      | 23 +++++++++++++++++
- 11 files changed, 103 insertions(+), 37 deletions(-)
-
-diff --git a/open-vm-tools/lib/include/syncDriver.h b/open-vm-tools/lib/include/syncDriver.h
-index 20712f66..8ef229d4 100644
---- a/open-vm-tools/lib/include/syncDriver.h
-+++ b/open-vm-tools/lib/include/syncDriver.h
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2005-2018 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2005-2018, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -51,7 +51,8 @@ typedef enum {
- Bool SyncDriver_Init(void);
- Bool SyncDriver_Freeze(const char *drives, Bool enableNullDriver,
-                        SyncDriverHandle *handle,
--                       const char *excludedFileSystems);
-+                       const char *excludedFileSystems,
-+                       Bool ignoreFrozenFS);
- Bool SyncDriver_Thaw(const SyncDriverHandle handle);
- SyncDriverStatus SyncDriver_QueryStatus(const SyncDriverHandle handle,
-                                         int32 timeout);
-diff --git a/open-vm-tools/lib/syncDriver/nullDriver.c b/open-vm-tools/lib/syncDriver/nullDriver.c
-index 5e19e208..be96222a 100644
---- a/open-vm-tools/lib/syncDriver/nullDriver.c
-+++ b/open-vm-tools/lib/syncDriver/nullDriver.c
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -54,8 +54,9 @@ NullDriverClose(SyncDriverHandle handle)
-  *
-  * Calls sync().
-  *
-- * @param[in]  paths     Unused.
-- * @param[out] handle    Where to store the operation handle.
-+ * @param[in]  paths            Unused.
-+ * @param[out] handle           Where to store the operation handle.
-+ * @param[in]  ignoreFrozenFS   Unused.
-  *
-  * @return A SyncDriverErr.
-  *
-@@ -64,7 +65,8 @@ NullDriverClose(SyncDriverHandle handle)
- 
- SyncDriverErr
- NullDriver_Freeze(const GSList *paths,
--                  SyncDriverHandle *handle)
-+                  SyncDriverHandle *handle,
-+                  Bool ignoreFrozenFS)
- {
-    /*
-     * This is more of a "let's at least do something" than something that
-diff --git a/open-vm-tools/lib/syncDriver/syncDriverInt.h b/open-vm-tools/lib/syncDriver/syncDriverInt.h
-index 04f37bf2..a5706298 100644
---- a/open-vm-tools/lib/syncDriver/syncDriverInt.h
-+++ b/open-vm-tools/lib/syncDriver/syncDriverInt.h
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2011-2017, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -41,7 +41,8 @@ typedef enum {
- } SyncDriverErr;
- 
- typedef SyncDriverErr (*SyncFreezeFn)(const GSList *paths,
--                                      SyncDriverHandle *handle);
-+                                      SyncDriverHandle *handle,
-+                                      Bool ignoreFrozenFs);
- 
- typedef struct SyncHandle {
-    SyncDriverErr (*thaw)(const SyncDriverHandle handle);
-@@ -55,15 +56,18 @@ typedef struct SyncHandle {
- #if defined(__linux__)
- SyncDriverErr
- LinuxDriver_Freeze(const GSList *userPaths,
--                   SyncDriverHandle *handle);
-+                   SyncDriverHandle *handle,
-+                   Bool ignoreFrozenFs);
- 
- SyncDriverErr
- VmSync_Freeze(const GSList *userPaths,
--              SyncDriverHandle *handle);
-+              SyncDriverHandle *handle,
-+              Bool ignoreFrozenFs);
- 
- SyncDriverErr
- NullDriver_Freeze(const GSList *userPaths,
--                  SyncDriverHandle *handle);
-+                  SyncDriverHandle *handle,
-+                  Bool ignoreFrozenFs);
- #endif
- 
- #endif
-diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
-index 6d9a3568..4581098e 100644
---- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c
-+++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c
-@@ -199,8 +199,9 @@ LinuxFiGetAttr(const SyncDriverHandle handle,   // IN (ignored)
-  * slow when guest is performing significant IO. Therefore, caller should
-  * consider running this function in a separate thread.
-  *
-- * @param[in]  paths    List of paths to freeze.
-- * @param[out] handle   Handle to use for thawing.
-+ * @param[in]  paths           List of paths to freeze.
-+ * @param[out] handle          Handle to use for thawing.
-+ * @param[in]  ignoreFrozenFS  Switch to allow EBUSY error.
-  *
-  * @return A SyncDriverErr.
-  *
-@@ -209,7 +210,8 @@ LinuxFiGetAttr(const SyncDriverHandle handle,   // IN (ignored)
- 
- SyncDriverErr
- LinuxDriver_Freeze(const GSList *paths,
--                   SyncDriverHandle *handle)
-+                   SyncDriverHandle *handle,
-+                   Bool ignoreFrozenFS)
- {
-    ssize_t count = 0;
-    Bool first = TRUE;
-@@ -324,9 +326,12 @@ LinuxDriver_Freeze(const GSList *paths,
-           * Previously, an EBUSY error was ignored, assuming that we may try
-           * to freeze the same superblock more than once depending on the
-           * OS configuration (e.g., usage of bind mounts).
--          * Using the filesystem Id to check if this is a filesystem that we
--          * have seen previously and will ignore this FD only if that is
--          * the case.  Log a warning otherwise since the quiesced snapshot
-+          * Use the filesystem Id to check if this filesystem has been
-+          * handled before and, if so, ignore it.
-+          * Alternatively, allow (ignore) the EBUSY if the
-+          * "ignoreFrozenFileSystems" switch inside "vmbackup" section of
-+          * tools.conf file is TRUE.
-+          * Otherwise, log a warning as the quiesced snapshot
-           * attempt will fail.
-           */
-          if (ioctlerr == EBUSY) {
-@@ -339,6 +344,14 @@ LinuxDriver_Freeze(const GSList *paths,
-                 */
-                Debug(LGPFX "skipping path '%s' - previously frozen", path);
-                continue;
-+            } else if (ignoreFrozenFS) {
-+               /*
-+                * Ignores the EBUSY error if the FS has been frozen by another
-+                * process and the 'ignoreFrozenFileSystems' setting is
-+                * turned on in tools.conf file.
-+                */
-+               Debug(LGPFX "Ignoring the frozen filesystem '%s'",path);
-+               continue;
-             }
-             /*
-              * It appears that this FS has been locked or frozen by another
-diff --git a/open-vm-tools/lib/syncDriver/syncDriverPosix.c b/open-vm-tools/lib/syncDriver/syncDriverPosix.c
-index 7b6132ba..27369639 100644
---- a/open-vm-tools/lib/syncDriver/syncDriverPosix.c
-+++ b/open-vm-tools/lib/syncDriver/syncDriverPosix.c
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2005-2019 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2005-2019, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -456,7 +456,8 @@ Bool
- SyncDriver_Freeze(const char *userPaths,              // IN
-                   Bool enableNullDriver,              // IN
-                   SyncDriverHandle *handle,           // OUT
--                  const char *excludedFileSystems)    // IN
-+                  const char *excludedFileSystems,    // IN
-+                  Bool ignoreFrozenFS)                // IN
- {
-    GSList *paths = NULL;
-    SyncDriverErr err = SD_UNAVAILABLE;
-@@ -517,7 +518,7 @@ SyncDriver_Freeze(const char *userPaths,              // IN
-          continue;
-       }
- #endif
--      err = freezeFn(paths, handle);
-+      err = freezeFn(paths, handle, ignoreFrozenFS);
-    }
- 
-    /*
-diff --git a/open-vm-tools/lib/syncDriver/vmSyncDriver.c b/open-vm-tools/lib/syncDriver/vmSyncDriver.c
-index 2bd0e886..a0d4a315 100644
---- a/open-vm-tools/lib/syncDriver/vmSyncDriver.c
-+++ b/open-vm-tools/lib/syncDriver/vmSyncDriver.c
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -91,8 +91,9 @@ VmSyncClose(SyncDriverHandle handle)
-  * Opens a description to the driver's proc node, and if successful, send an
-  * ioctl to freeze the requested filesystems.
-  *
-- * @param[in]  paths    List of paths to freeze.
-- * @param[out] handle   Where to store the handle to use for thawing.
-+ * @param[in]  paths          List of paths to freeze.
-+ * @param[out] handle         Where to store the handle to use for thawing.
-+ * @param[in]  ignoreFrozenFS Unused.
-  *
-  * @return A SyncDriverErr.
-  *
-@@ -101,7 +102,8 @@ VmSyncClose(SyncDriverHandle handle)
- 
- SyncDriverErr
- VmSync_Freeze(const GSList *paths,
--              SyncDriverHandle *handle)
-+              SyncDriverHandle *handle,
-+              Bool ignoreFrozenFS)
- {
-    int file;
-    Bool first = TRUE;
-diff --git a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
-index 7d45d3f5..079540f1 100644
---- a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
-+++ b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2003-2021 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2003-2021, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -545,6 +545,8 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data)
-    GKeyFile *confDictRef = ctx->config;
-    Bool enableNullDriver;
-    GSource *timer;
-+   char *excludedFileSystems;
-+   Bool ignoreFrozenFS;
- 
-    /*
-     * Parse the arguments
-@@ -581,10 +583,18 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data)
-                                                "vmbackup",
-                                                "enableNullDriver",
-                                                FALSE);
-+   excludedFileSystems = VMTools_ConfigGetString(confDictRef,
-+                                                  "vmbackup",
-+                                                  "excludedFileSystems",
-+                                                  NULL);
-+   ignoreFrozenFS = VMTools_ConfigGetBoolean(confDictRef,
-+                                             "vmbackup",
-+                                             "ignoreFrozenFileSystems",
-+                                             FALSE);
- 
-    /* Perform the actual freeze. */
-    if (!SyncDriver_Freeze(driveList, enableNullDriver, &gSyncDriverHandle,
--                          NULL) ||
-+                          excludedFileSystems, ignoreFrozenFS) ||
-        SyncDriver_QueryStatus(gSyncDriverHandle, INFINITE) != SYNCDRIVER_IDLE) {
-       g_warning("%s: Failed to Freeze drives '%s'\n",
-                 __FUNCTION__, driveList);
-diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
-index 99f52582..b04565d8 100644
---- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c
-+++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
-@@ -1073,9 +1073,13 @@ VmBackupStartCommon(RpcInData *data,
- #if defined(__linux__)
-    gBackupState->excludedFileSystems =
-          VMBACKUP_CONFIG_GET_STR(ctx->config, "excludedFileSystems", NULL);
--   g_debug("Using excludedFileSystems = \"%s\"\n",
-+   gBackupState->ignoreFrozenFS =
-+       VMBACKUP_CONFIG_GET_BOOL(ctx->config, "ignoreFrozenFileSystems", FALSE);
-+
-+   g_debug("Using excludedFileSystems = \"%s\", ignoreFrozenFileSystems = %d\n",
-            (gBackupState->excludedFileSystems != NULL) ?
--            gBackupState->excludedFileSystems : "(null)");
-+            gBackupState->excludedFileSystems : "(null)",
-+           gBackupState->ignoreFrozenFS);
- #endif
-    g_debug("Quiescing volumes: %s",
-            (gBackupState->volumes) ? gBackupState->volumes : "(null)");
-diff --git a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
-index cc01d294..a090ec72 100644
---- a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
-+++ b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved.
-+ * Copyright (C) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -276,7 +276,8 @@ VmBackupNewDriverOp(VmBackupState *state,       // IN
-                                      useNullDriverPrefs ?
-                                         state->enableNullDriver : FALSE,
-                                      op->syncHandle,
--                                     state->excludedFileSystems);
-+                                     state->excludedFileSystems,
-+                                     state->ignoreFrozenFS);
-          break;
-       case OP_THAW:
-          op->manifest = SyncNewManifest(state, *op->syncHandle);
-diff --git a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
-index 0c912174..65e2e552 100644
---- a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
-+++ b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h
-@@ -1,5 +1,5 @@
- /*********************************************************
-- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved.
-+ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as published
-@@ -100,18 +100,22 @@ struct VmBackupSyncCompleter;
-  * Don't modify the fields directly - rather, use VmBackup_SetCurrentOp,
-  * which does most of the handling needed by users of the state machine.
-  *
-- * NOTE: The thread for freeze operation modifies currentOp in BackupState
-- *       which is also accessed by the AsyncCallback driving the state
-- *       machine (run by main thread). Also, gcc might generate two
-- *       instructions for writing a 64-bit value. Therefore, protect the
-- *       access to currentOp and related fields using opLock mutex.
-+ * NOTE 1: The thread for freeze operation modifies currentOp in BackupState
-+ *         which is also accessed by the AsyncCallback driving the state
-+ *         machine (run by main thread). Also, gcc might generate two
-+ *         instructions for writing a 64-bit value. Therefore, protect the
-+ *         access to currentOp and related fields using opLock mutex.
-+ *
-+ * NOTE 2: Only used by Linux guests, ignored on Windows guests and is
-+ *         initialized to "false" when the VmBackupState is initialized
-+ *         at the start of a backup operation.
-  */
- 
- typedef struct VmBackupState {
-    ToolsAppCtx   *ctx;
-    VmBackupOp    *currentOp;
-    const char    *currentOpName;
--   GMutex         opLock;          // See note above
-+   GMutex         opLock;          // See note 1 above
-    char          *volumes;
-    char          *snapshots;
-    guint          pollPeriod;
-@@ -127,6 +131,7 @@ typedef struct VmBackupState {
-    Bool           allowHWProvider;
-    Bool           execScripts;
-    Bool           enableNullDriver;
-+   Bool           ignoreFrozenFS;   // See note 2 above
-    Bool           needsPriv;
-    gchar         *scriptArg;
-    guint          timeout;
-diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf
-index e5a03a9c..f238cb59 100644
---- a/open-vm-tools/tools.conf
-+++ b/open-vm-tools/tools.conf
-@@ -395,6 +395,29 @@
- 
- #excludedFileSystems=
- 
-+# Linux:
-+# It is possible that filesystems are being frozen in pre-freeze scripts
-+# to control the order in which those specific filesystems are to be frozen.
-+# The vmtoolsd process must be informed of all such filesystems with the help
-+# of "excludedFileSystems" setting of tools.conf.
-+#
-+# A temporary workaround is available (starting from 12.3.0) for admins to allow
-+# quiesceing operation to succeed until the "excludedFileSystems" list
-+# is configured.
-+#
-+# If another process thaws the file system while a quiescing operation
-+# operation is ongoing, the snapshot may be compromised. Once the
-+# "excludedFileSystems" list is configured this setting MUST be unset (or set
-+# to false).
-+#
-+# The value of ignoreFrozenFileSystems is a true or false; the default is
-+# false.
-+#
-+# Set to true to ignore pre-frozen file systems during the quiescing operation.
-+#
-+# ignoreFrozenFileSystems is Linux only (Not supported on Windows).
-+#ignoreFrozenFileSystems=false
-+
- # execScripts specifies whether to execute scripts as part of the quiescing
- # operation. Scripts are executed from the scripts directory along with the
- # legacy scripts.
--- 
-2.37.3
-

SOURCES/ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch

@@ -1,38 +0,0 @@
-From a839cb975d58968237bd871b1fb4cbe191af085b Mon Sep 17 00:00:00 2001
-From: Miroslav Rezanina <mrezanin@redhat.com>
-Date: Thu, 7 Sep 2023 02:27:50 -0400
-Subject: [PATCH] VGAuth: Allow only X509 certs to verify the SAML token
- signature.
-
-RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
-RH-Bugzilla: 2236543
-RH-CVE: CVE-2023-20900
-
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
----
- open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-index f5541a9a..0b2a945b 100644
---- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
-@@ -1335,7 +1335,14 @@ VerifySignature(xmlDocPtr doc,
-     */
-    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
-    if (bRet == FALSE) {
--      g_warning("failed to register ID\n");
-+      g_warning("Failed to register ID\n");
-+      goto done;
-+   }
-+
-+   /* Use only X509 certs to validate the signature */
-+   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
-+                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
-+      g_warning("Failed to limit allowed key data\n");
-       goto done;
-    }
- 
--- 
-2.39.3
-

SOURCES/vmtoolsd.service

@@ -6,10 +6,13 @@ Requires=vgauthd.service
 After=vgauthd.service
 DefaultDependencies=no
 Before=cloud-init-local.service
+StartLimitIntervalSec=30
+StartLimitBurst=3
 
 [Service]
 ExecStart=/usr/bin/vmtoolsd
 TimeoutStopSec=5
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target

SPECS/open-vm-tools.spec

@@ -19,9 +19,9 @@
 ################################################################################
 
 %global _hardened_build 1
-%global majorversion    12.2
+%global majorversion    12.3
 %global minorversion    5
-%global toolsbuild      21855600
+%global toolsbuild      22544099
 %global toolsversion    %{majorversion}.%{minorversion}
 %global toolsdaemon     vmtoolsd
 %global vgauthdaemon    vgauthd
@@ -32,7 +32,7 @@
 
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          3%{?dist}
+Release:          2%{?dist}.alma.1
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@@ -52,10 +52,8 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 %endif
 
 # Patch0: name.patch
-# For RHEL-4584 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-8.10.0]
-Patch1: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch
-# For RHEL-7012 - [RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups
-Patch2: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch
+# https://github.com/vmware/open-vm-tools/tree/CVE-2025-22247.patch
+Patch0: 0000-open-vm-tools-cve-2025-22247.patch
 
 BuildRequires:    autoconf
 BuildRequires:    automake
@@ -91,7 +89,7 @@ BuildRequires:    gtk3-devel >= 3.10.0
 BuildRequires:    gtkmm30-devel >= 3.10.0
 BuildRequires:    libtirpc-devel
 BuildRequires:    rpcgen
-BuildRequires:    systemd-rpm-macros
+BuildRequires:    systemd-udev
 %else
 BuildRequires:    gtk2-devel >= 2.4.0
 BuildRequires:    gtkmm24-devel
@@ -414,12 +412,31 @@ fi
 %{_bindir}/vmware-vgauth-smoketest
 
 %changelog
-* Wed Sep 27 2023 Jon Maloy <jmaloy@redhat.com> - 12.2.5-3
+* Thu Jun 12 2025 Jonathan Wright <jonathan@almalinux.org> - 12.3.5-2.alma.1
+- Fix CVE-2025-22247, VMSA-2025-0007
+
+* Wed Dec 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2
+- ovt-Restart-tools-on-failure.patch [RHEL-17683]
+- Resolves: RHEL-17683
+  (Add Restart=on-failure to vmtoolsd.service [rhel-8])
+
+* Thu Nov 09 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-1
+- Rebase to 12.3.5 [RHEL-15059]
+- Fix CVE-2023-34058 [RHEL-14649]
+- Fix CVE-2023-34059 [RHEL-14683]
+- Resolves: RHEL-15059
+  ([ESXi][RHEL8]open-vm-tools version 12.3.5 has been released - please rebase)
+- Resolves: RHEL-14649
+  (CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-8.10.0])
+- Resolves: RHEL-14683
+  (CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-8.10.0])
+
+* Wed Sep 27 2023 Jon Maloy <jmaloy@redhat.com> - 12.2.5-4
 - ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [RHEL-7012]
 - Resolves: RHEL-7012
   ([RHEL8.10][ESXi]Latest version of open-vm-tools breaks VM backups)
 
-* Wed Sep 20 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.5-2
+* Wed Sep 20 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.2.5-3
 - Rebuild CVE-2023-20900 for 8.10
 - Resolves: RHEL-4584
   (CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-8.10.0])