3 changed files with 1 additions and 532 deletions
--- a/SOURCES/ovt-SDMP-Service-Discovery-Plugin.patch
+++ b/SOURCES/ovt-SDMP-Service-Discovery-Plugin.patch
@ -1,133 +0,0 @@
 From 68384f6ab79233817b5bf3370f0a46ee20a7f7e8 Mon Sep 17 00:00:00 2001
 From: Vitaly Kuznetsov <vkuznets@redhat.com>
 Date: Wed, 1 Oct 2025 10:49:34 +0200
 Subject: [PATCH] SDMP: Service Discovery Plugin
 RH-Author: Vitaly Kuznetsov <vkuznets@redhat.com>
 RH-MergeRequest: 56: SDMP: Service Discovery Plugin
 RH-Jira: RHEL-117388
 RH-Acked-by: roverflow <None>
 RH-Acked-by: Maxim Levitsky <None>
 RH-Acked-by: Ani Sinha <anisinha@redhat.com>
 RH-Commit: [1/1] b8e63c398b7615bbbd86ae3b4539717e4fff74b1
 JIRA: https://issues.redhat.com/browse/RHEL-117388
 CVE: CVE-2025-41244
 commit 7ed196cf01f8acd09011815a605b6733894b8aab
 Author: Kruti Pendharkar <kp025370@broadcom.com>
 Date:   Mon Sep 29 01:02:40 2025 -0700
    Address CVE-2025-41244
     - Disable (default) the execution of the SDMP get-versions.sh script.
    With the Linux SDMP get-versions.sh script disabled, version information
    of installed services will not be made available to VMware Aria
 RHEL-only: used
 https://github.com/vmware/open-vm-tools/blob/CVE-2025-41244.patch/CVE-2025-41244-1230-1235-SDMP.patch
 patch for 12.3 version.
 Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
 ---
 .../serviceDiscovery/serviceDiscovery.c       | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)
 diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
 index 103cf14e..2f65294b 100644
 --- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
 +++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
@@ -115,6 +115,12 @@ static gchar* scriptInstallDir = NULL;
  */
 #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
 +/*
 + * Defines the configuration to enable/disable version obtaining logic
 + */
 +#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
 +#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
 +
 /*
  * Defines the configuration to cache data in gdp plugin
  */
@@ -1239,23 +1245,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
  *
  * Construct final paths of the scripts that will be used for execution.
  *
 + * @param[in] versionCheckEnabled  TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
 + *                                 entry; FALSE to skip it (derived from config).
 + *
  *****************************************************************************
  */
 static void
 -ConstructScriptPaths(void)
 +ConstructScriptPaths(Bool versionCheckEnabled)
 {
    int i;
 #if !defined(OPEN_VM_TOOLS)
    gchar *toolsInstallDir;
 #endif
 +   int insertIndex = 0;
    if (gFullPaths != NULL) {
       return;
    }
    gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
 -                                  ARRAYSIZE(gKeyScripts));
 +                                  ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
    if (scriptInstallDir == NULL) {
 #if defined(OPEN_VM_TOOLS)
       scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
@@ -1267,6 +1277,15 @@ ConstructScriptPaths(void)
 #endif
    }
    for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
 +      /*
 +       * Skip adding if:
 +       * 1. Version check is disabled, AND
 +       * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
 +       */
 +      if (!versionCheckEnabled &&
 +         g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
 +         continue;
 +      }
       KeyNameValue tmp;
       tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
 #if defined(_WIN32)
@@ -1274,7 +1293,8 @@ ConstructScriptPaths(void)
 #else
       tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
 #endif
 -      g_array_insert_val(gFullPaths, i, tmp);
 +      g_array_insert_val(gFullPaths, insertIndex, tmp);
 +      insertIndex++;
    }
 }
@@ -1340,14 +1360,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
          }
       };
       gboolean disabled;
 +      Bool versionCheckEnabled;
       regData.regs = VMTools_WrapArray(regs,
                                        sizeof *regs,
                                        ARRAYSIZE(regs));
 +      versionCheckEnabled = VMTools_ConfigGetBoolean(
 +         ctx->config,
 +         CONFGROUPNAME_SERVICEDISCOVERY,
 +         CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
 +         SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
       /*
        * Append scripts execution command line
        */
 -      ConstructScriptPaths();
 +      ConstructScriptPaths(versionCheckEnabled);
       disabled =
          VMTools_ConfigGetBoolean(ctx->config,
 -- 
 2.47.3
--- a/SOURCES/ovt-Validate-user-names-and-file-paths.patch
+++ b/SOURCES/ovt-Validate-user-names-and-file-paths.patch
@ -1,384 +0,0 @@
 From 4440325c484b0090722c5e2d69ea0e0f2e8c2824 Mon Sep 17 00:00:00 2001
 From: John Wolfe <john.wolfe@broadcom.com>
 Date: Mon, 5 May 2025 15:58:03 -0700
 Subject: [PATCH] Validate user names and file paths
 RH-Author: boyang <None>
 RH-MergeRequest: 67: Validate user names and file paths
 RH-Jira: RHEL-129361
 RH-Acked-by: Lili Du <None>
 RH-Acked-by: Ani Sinha <anisinha@redhat.com>
 RH-Commit: [1/1] 6ea0f82d1db1fd2e8f5515dbe4fb57c258fb4458
 Prevent usage of illegal characters in user names and file paths.
 Also, disallow unexpected symlinks in file paths.
 This patch contains changes to common source files not applicable
 to open-vm-tools.
 All files being updated should be consider to have the copyright to
 be updated to:
 * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
 * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
 The 2025 Broadcom copyright information update is not part of this
 patch set to allow the patch to be easily applied to previous
 open-vm-tools source releases.
 Cherry picked from commit 7874e572b5aac5a418551dc5e3935c1e74bf6f1f
 Signed-off-by: boyang <boyang@redhat.com>
 ---
 open-vm-tools/vgauth/common/VGAuthUtil.c      | 33 +++++++++
 open-vm-tools/vgauth/common/VGAuthUtil.h      |  2 +
 open-vm-tools/vgauth/common/prefs.h           |  3 +
 open-vm-tools/vgauth/common/usercheck.c       | 23 +++++-
 open-vm-tools/vgauth/serviceImpl/alias.c      | 74 ++++++++++++++++++-
 open-vm-tools/vgauth/serviceImpl/service.c    | 27 +++++++
 open-vm-tools/vgauth/serviceImpl/serviceInt.h |  1 +
 7 files changed, 160 insertions(+), 3 deletions(-)
 diff --git a/open-vm-tools/vgauth/common/VGAuthUtil.c b/open-vm-tools/vgauth/common/VGAuthUtil.c
 index 76383c46..9c2adb8d 100644
 --- a/open-vm-tools/vgauth/common/VGAuthUtil.c
 +++ b/open-vm-tools/vgauth/common/VGAuthUtil.c
@@ -309,3 +309,36 @@ Util_Assert(const char *cond,
 #endif
    g_assert(0);
 }
 +
 +
 +/*
 + ******************************************************************************
 + * Util_Utf8CaseCmp --                                                   */ /**
 + *
 + * Case insensitive comparison for utf8 strings which can have non-ascii
 + * characters.
 + *
 + * @param[in]  str1      Null terminated utf8 string.
 + * @param[in]  str2      Null terminated utf8 string.
 + *
 + ******************************************************************************
 + */
 +
 +int
 +Util_Utf8CaseCmp(const gchar *str1,
 +                 const gchar *str2)
 +{
 +   int ret;
 +   gchar *str1Case;
 +   gchar *str2Case;
 +
 +   str1Case = g_utf8_casefold(str1, -1);
 +   str2Case = g_utf8_casefold(str2, -1);
 +
 +   ret = g_strcmp0(str1Case, str2Case);
 +
 +   g_free(str1Case);
 +   g_free(str2Case);
 +
 +   return ret;
 +}
 diff --git a/open-vm-tools/vgauth/common/VGAuthUtil.h b/open-vm-tools/vgauth/common/VGAuthUtil.h
 index f7f3aa21..ef32a91d 100644
 --- a/open-vm-tools/vgauth/common/VGAuthUtil.h
 +++ b/open-vm-tools/vgauth/common/VGAuthUtil.h
@@ -105,4 +105,6 @@ gboolean Util_CheckExpiration(const GTimeVal *start, unsigned int duration);
 void Util_Assert(const char *cond, const char *file, int lineNum);
 +int Util_Utf8CaseCmp(const gchar *str1, const gchar *str2);
 +
 #endif
 diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h
 index 6c58f3f4..3299eb26 100644
 --- a/open-vm-tools/vgauth/common/prefs.h
 +++ b/open-vm-tools/vgauth/common/prefs.h
@@ -167,6 +167,9 @@ msgCatalog = /etc/vmware-tools/vgauth/messages
 /** Where the localized version of the messages were installed. */
 #define VGAUTH_PREF_LOCALIZATION_DIR        "msgCatalog"
 +/** If symlinks or junctions are allowed in alias store file path */
 +#define VGAUTH_PREF_ALLOW_SYMLINKS  "allowSymlinks"
 +
 /*
  * Pref values
  */
 diff --git a/open-vm-tools/vgauth/common/usercheck.c b/open-vm-tools/vgauth/common/usercheck.c
 index 3beede2e..340aa041 100644
 --- a/open-vm-tools/vgauth/common/usercheck.c
 +++ b/open-vm-tools/vgauth/common/usercheck.c
@@ -78,6 +78,8 @@
  * Solaris as well, but that path is untested.
  */
 +#define MAX_USER_NAME_LEN 256
 +
 /*
  * A single retry works for the LDAP case, but try more often in case NIS
  * or something else has a related issue.  Note that a bad username/uid won't
@@ -354,12 +356,29 @@ Usercheck_UsernameIsLegal(const gchar *userName)
     * restricted list for local usernames.
     */
    size_t len;
 -   char *illegalChars = "<>/";
 +   size_t i = 0;
 +   int backSlashCnt = 0;
 +   /*
 +    * As user names are used to generate its alias store file name/path, it
 +    * should not contain path traversal characters ('/' and '\').
 +    */
 +   char *illegalChars = "<>/\\";
    len = strlen(userName);
 -   if (strcspn(userName, illegalChars) != len) {
 +   if (len > MAX_USER_NAME_LEN) {
       return FALSE;
    }
 +
 +   while ((i += strcspn(userName + i, illegalChars)) < len) {
 +      /*
 +       * One backward slash is allowed for domain\username separator.
 +       */
 +      if (userName[i] != '\\' || ++backSlashCnt > 1) {
 +         return FALSE;
 +      }
 +      ++i;
 +   }
 +
    return TRUE;
 }
 diff --git a/open-vm-tools/vgauth/serviceImpl/alias.c b/open-vm-tools/vgauth/serviceImpl/alias.c
 index 4e170202..c7040ebf 100644
 --- a/open-vm-tools/vgauth/serviceImpl/alias.c
 +++ b/open-vm-tools/vgauth/serviceImpl/alias.c
@@ -41,6 +41,7 @@
 #include "certverify.h"
 #include "VGAuthProto.h"
 #include "vmxlog.h"
 +#include "VGAuthUtil.h"
 // puts the identity store in an easy to find place
 #undef WIN_TEST_MODE
@@ -66,6 +67,7 @@
 #define ALIASSTORE_FILE_PREFIX   "user-"
 #define ALIASSTORE_FILE_SUFFIX   ".xml"
 +static gboolean allowSymlinks = FALSE;
 static gchar *aliasStoreRootDir = DEFAULT_ALIASSTORE_ROOT_DIR;
 #ifdef _WIN32
@@ -252,6 +254,12 @@ mapping file layout:
  */
 +#ifdef _WIN32
 +#define ISPATHSEP(c)  ((c) == '\\' || (c) == '/')
 +#else
 +#define ISPATHSEP(c)  ((c) == '/')
 +#endif
 +
 /*
  ******************************************************************************
@@ -466,6 +474,7 @@ ServiceLoadFileContentsWin(const gchar *fileName,
    gunichar2 *fileNameW = NULL;
    BOOL ok;
    DWORD bytesRead;
 +   gchar *realPath = NULL;
    *fileSize = 0;
    *contents = NULL;
@@ -622,6 +631,22 @@ ServiceLoadFileContentsWin(const gchar *fileName,
       goto done;
    }
 +   if (!allowSymlinks) {
 +      /*
 +       * Check if fileName is real path.
 +       */
 +      if ((realPath = ServiceFileGetPathByHandle(hFile)) == NULL) {
 +         err = VGAUTH_E_FAIL;
 +         goto done;
 +      }
 +      if (Util_Utf8CaseCmp(realPath, fileName) != 0) {
 +         Warning("%s: Real path (%s) is not same as file path (%s)\n",
 +                 __FUNCTION__, realPath, fileName);
 +         err = VGAUTH_E_FAIL;
 +         goto done;
 +      }
 +   }
 +
    /*
     * Now finally read the contents.
     */
@@ -650,6 +675,7 @@ done:
       CloseHandle(hFile);
    }
    g_free(fileNameW);
 +   g_free(realPath);
    return err;
 }
@@ -672,6 +698,7 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
    gchar *buf;
    gchar *bp;
    int fd = -1;
 +   gchar realPath[PATH_MAX] = { 0 };
    *fileSize = 0;
    *contents = NULL;
@@ -817,6 +844,23 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
       goto done;
    }
 +   if (!allowSymlinks) {
 +      /*
 +       * Check if fileName is real path.
 +       */
 +      if (realpath(fileName, realPath) == NULL) {
 +         Warning("%s: realpath() failed. errno (%d)\n", __FUNCTION__, errno);
 +         err = VGAUTH_E_FAIL;
 +         goto done;
 +      }
 +      if (g_strcmp0(realPath, fileName) != 0) {
 +         Warning("%s: Real path (%s) is not same as file path (%s)\n",
 +                 __FUNCTION__, realPath, fileName);
 +         err = VGAUTH_E_FAIL;
 +         goto done;
 +      }
 +   }
 +
    /*
     * All confidence checks passed; read the bits.
     */
@@ -2803,8 +2847,13 @@ ServiceAliasRemoveAlias(const gchar *reqUserName,
    /*
     * We don't verify the user exists in a Remove operation, to allow
 -    * cleanup of deleted user's stores.
 +    * cleanup of deleted user's stores, but we do check whether the
 +    * user name is legal or not.
     */
 +   if (!Usercheck_UsernameIsLegal(userName)) {
 +      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
 +      return VGAUTH_E_FAIL;
 +   }
    if (!CertVerify_IsWellFormedPEMCert(pemCert)) {
       return VGAUTH_E_INVALID_CERTIFICATE;
@@ -3036,6 +3085,16 @@ ServiceAliasQueryAliases(const gchar *userName,
    }
 #endif
 +   /*
 +    * We don't verify the user exists in a Query operation to allow
 +    * cleaning up after a deleted user, but we do check whether the
 +    * user name is legal or not.
 +    */
 +   if (!Usercheck_UsernameIsLegal(userName)) {
 +      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
 +      return VGAUTH_E_FAIL;
 +   }
 +
    err = AliasLoadAliases(userName, num, aList);
    if (VGAUTH_E_OK != err) {
       Warning("%s: failed to load Aliases for '%s'\n", __FUNCTION__, userName);
@@ -3294,6 +3353,7 @@ ServiceAliasInitAliasStore(void)
    VGAuthError err = VGAUTH_E_OK;
    gboolean saveBadDir = FALSE;
    char *defaultDir = NULL;
 +   size_t len;
 #ifdef _WIN32
    {
@@ -3324,6 +3384,10 @@ ServiceAliasInitAliasStore(void)
    defaultDir = g_strdup(DEFAULT_ALIASSTORE_ROOT_DIR);
 #endif
 +   allowSymlinks = Pref_GetBool(gPrefs,
 +                                VGAUTH_PREF_ALLOW_SYMLINKS,
 +                                VGAUTH_PREF_GROUP_NAME_SERVICE,
 +                                FALSE);
    /*
     * Find the alias store directory.  This allows an installer to put
     * it somewhere else if necessary.
@@ -3337,6 +3401,14 @@ ServiceAliasInitAliasStore(void)
                                       VGAUTH_PREF_GROUP_NAME_SERVICE,
                                       defaultDir);
 +   /*
 +    * Remove the trailing separator if any from aliasStoreRootDir path.
 +    */
 +   len = strlen(aliasStoreRootDir);
 +   if (ISPATHSEP(aliasStoreRootDir[len - 1])) {
 +      aliasStoreRootDir[len - 1] = '\0';
 +   }
 +
    Log("Using '%s' for alias store root directory\n", aliasStoreRootDir);
    g_free(defaultDir);
 diff --git a/open-vm-tools/vgauth/serviceImpl/service.c b/open-vm-tools/vgauth/serviceImpl/service.c
 index d4716526..e053ed0f 100644
 --- a/open-vm-tools/vgauth/serviceImpl/service.c
 +++ b/open-vm-tools/vgauth/serviceImpl/service.c
@@ -28,6 +28,7 @@
 #include "VGAuthUtil.h"
 #ifdef _WIN32
 #include "winUtil.h"
 +#include <glib.h>
 #endif
 static ServiceStartListeningForIOFunc startListeningIOFunc = NULL;
@@ -283,9 +284,35 @@ static gchar *
 ServiceUserNameToPipeName(const char *userName)
 {
    gchar *escapedName = ServiceEncodeUserName(userName);
 +#ifdef _WIN32
 +   /*
 +    * Adding below pragma only in windows to suppress the compile time warning
 +    * about unavailability of g_uuid_string_random() since compiler flag
 +    * GLIB_VERSION_MAX_ALLOWED is defined to GLIB_VERSION_2_34.
 +    * TODO: Remove below pragma when GLIB_VERSION_MAX_ALLOWED is bumped up to
 +    * or greater than GLIB_VERSION_2_52.
 +    */
 +#pragma warning(suppress : 4996)
 +   gchar *uuidStr = g_uuid_string_random();
 +   /*
 +    * Add a unique suffix to avoid a name collision with an existing named pipe
 +    * created by someone else (intentionally or by accident).
 +    * This is not needed for Linux; name collisions on sockets are already
 +    * avoided there since (1) file system paths to VGAuthService sockets are in
 +    * a directory that is writable only by root and (2) VGAuthService unlinks a
 +    * socket path before binding it to a newly created socket.
 +    */
 +   gchar *pipeName = g_strdup_printf("%s-%s-%s",
 +                                     SERVICE_PUBLIC_PIPE_NAME,
 +                                     escapedName,
 +                                     uuidStr);
 +
 +   g_free(uuidStr);
 +#else
    gchar *pipeName = g_strdup_printf("%s-%s",
                                      SERVICE_PUBLIC_PIPE_NAME,
                                      escapedName);
 +#endif
    g_free(escapedName);
    return pipeName;
 diff --git a/open-vm-tools/vgauth/serviceImpl/serviceInt.h b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
 index 5f420192..f4f88547 100644
 --- a/open-vm-tools/vgauth/serviceImpl/serviceInt.h
 +++ b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
@@ -441,6 +441,7 @@ VGAuthError ServiceFileVerifyAdminGroupOwnedByHandle(const HANDLE hFile);
 VGAuthError ServiceFileVerifyEveryoneReadableByHandle(const HANDLE hFile);
 VGAuthError ServiceFileVerifyUserAccessByHandle(const HANDLE hFile,
                                                 const char *userName);
 +gchar *ServiceFileGetPathByHandle(HANDLE hFile);
 #else
 VGAuthError ServiceFileVerifyFileOwnerAndPerms(const char *fileName,
                                                const char *userName,
 -- 
 2.47.3
--- a/SPECS/open-vm-tools.spec
+++ b/SPECS/open-vm-tools.spec
@ -32,7 +32,7 @@
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          2%{?dist}.2
+Release:          2%{?dist}
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@ -52,10 +52,6 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 %endif
 # Patch0: name.patch
 # For RHEL-117388 - [CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-8.10.z]
 Patch1: ovt-SDMP-Service-Discovery-Plugin.patch
 # For RHEL-129361 - Backport of CVE-2025-22247 to 8.10
 Patch2: ovt-Validate-user-names-and-file-paths.patch
 BuildRequires:    autoconf
 BuildRequires:    automake
@ -414,16 +410,6 @@ fi
 %{_bindir}/vmware-vgauth-smoketest
 %changelog
 * Tue Jan 06 2026 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2.el8_10.2
 - ovt-Validate-user-names-and-file-paths.patch [RHEL-129361]
 - Resolves: RHEL-129361
  (Backport of CVE-2025-22247 to 8.10)
 * Tue Oct 07 2025 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2.el8.1
 - ovt-SDMP-Service-Discovery-Plugin.patch [RHEL-117388]
 - Resolves: RHEL-117388
  ([CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-8.10.z])
 * Wed Dec 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2
 - ovt-Restart-tools-on-failure.patch [RHEL-17683]
 - Resolves: RHEL-17683