Sync with c8

vmware-user-suid-wrapperx on Linux
- Don't accept tokens with unrelated certs

.open-vm-tools.metadata

@@ -1 +0,0 @@
-84ec127c620c46f6cddb5e38ce556a31244a967d SOURCES/open-vm-tools-12.3.5-22544099.tar.gz

SOURCES/ovt-SDMP-Service-Discovery-Plugin.patch

@@ -1,133 +0,0 @@
-From 68384f6ab79233817b5bf3370f0a46ee20a7f7e8 Mon Sep 17 00:00:00 2001
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-Date: Wed, 1 Oct 2025 10:49:34 +0200
-Subject: [PATCH] SDMP: Service Discovery Plugin
-
-RH-Author: Vitaly Kuznetsov <vkuznets@redhat.com>
-RH-MergeRequest: 56: SDMP: Service Discovery Plugin
-RH-Jira: RHEL-117388
-RH-Acked-by: roverflow <None>
-RH-Acked-by: Maxim Levitsky <None>
-RH-Acked-by: Ani Sinha <anisinha@redhat.com>
-RH-Commit: [1/1] b8e63c398b7615bbbd86ae3b4539717e4fff74b1
-
-JIRA: https://issues.redhat.com/browse/RHEL-117388
-CVE: CVE-2025-41244
-
-commit 7ed196cf01f8acd09011815a605b6733894b8aab
-Author: Kruti Pendharkar <kp025370@broadcom.com>
-Date:   Mon Sep 29 01:02:40 2025 -0700
-
-    Address CVE-2025-41244
-     - Disable (default) the execution of the SDMP get-versions.sh script.
-
-    With the Linux SDMP get-versions.sh script disabled, version information
-    of installed services will not be made available to VMware Aria
-
-RHEL-only: used
-https://github.com/vmware/open-vm-tools/blob/CVE-2025-41244.patch/CVE-2025-41244-1230-1235-SDMP.patch
-patch for 12.3 version.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
----
- .../serviceDiscovery/serviceDiscovery.c       | 34 ++++++++++++++++---
- 1 file changed, 30 insertions(+), 4 deletions(-)
-
-diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
-index 103cf14e..2f65294b 100644
---- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
-+++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
-@@ -115,6 +115,12 @@ static gchar* scriptInstallDir = NULL;
-  */
- #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
- 
-+/*
-+ * Defines the configuration to enable/disable version obtaining logic
-+ */
-+#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
-+#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
-+
- /*
-  * Defines the configuration to cache data in gdp plugin
-  */
-@@ -1239,23 +1245,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
-  *
-  * Construct final paths of the scripts that will be used for execution.
-  *
-+ * @param[in] versionCheckEnabled  TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
-+ *                                 entry; FALSE to skip it (derived from config).
-+ *
-  *****************************************************************************
-  */
- 
- static void
--ConstructScriptPaths(void)
-+ConstructScriptPaths(Bool versionCheckEnabled)
- {
-    int i;
- #if !defined(OPEN_VM_TOOLS)
-    gchar *toolsInstallDir;
- #endif
-+   int insertIndex = 0;
- 
-    if (gFullPaths != NULL) {
-       return;
-    }
- 
-    gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
--                                  ARRAYSIZE(gKeyScripts));
-+                                  ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
-    if (scriptInstallDir == NULL) {
- #if defined(OPEN_VM_TOOLS)
-       scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
-@@ -1267,6 +1277,15 @@ ConstructScriptPaths(void)
- #endif
-    }
-    for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
-+      /*
-+       * Skip adding if:
-+       * 1. Version check is disabled, AND
-+       * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
-+       */
-+      if (!versionCheckEnabled &&
-+         g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
-+         continue;
-+      }
-       KeyNameValue tmp;
-       tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
- #if defined(_WIN32)
-@@ -1274,7 +1293,8 @@ ConstructScriptPaths(void)
- #else
-       tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
- #endif
--      g_array_insert_val(gFullPaths, i, tmp);
-+      g_array_insert_val(gFullPaths, insertIndex, tmp);
-+      insertIndex++;
-    }
- }
- 
-@@ -1340,14 +1360,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
-          }
-       };
-       gboolean disabled;
-+      Bool versionCheckEnabled;
- 
-       regData.regs = VMTools_WrapArray(regs,
-                                        sizeof *regs,
-                                        ARRAYSIZE(regs));
-+      versionCheckEnabled = VMTools_ConfigGetBoolean(
-+         ctx->config,
-+         CONFGROUPNAME_SERVICEDISCOVERY,
-+         CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
-+         SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
-       /*
-        * Append scripts execution command line
-        */
--      ConstructScriptPaths();
-+      ConstructScriptPaths(versionCheckEnabled);
- 
-       disabled =
-          VMTools_ConfigGetBoolean(ctx->config,
--- 
-2.47.3
-

SPECS/open-vm-tools.spec

@@ -32,7 +32,7 @@
 
 Name:             open-vm-tools
 Version:          %{toolsversion}
-Release:          2%{?dist}.1
+Release:          2%{?dist}
 Summary:          Open Virtual Machine Tools for virtual machines hosted on VMware
 License:          GPLv2
 URL:              https://github.com/vmware/%{name}
@@ -52,8 +52,6 @@ ExclusiveArch:    %{ix86} x86_64 aarch64
 %endif
 
 # Patch0: name.patch
-# For RHEL-117388 - [CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-8.10.z]
-Patch1: ovt-SDMP-Service-Discovery-Plugin.patch
 
 BuildRequires:    autoconf
 BuildRequires:    automake
@@ -412,11 +410,6 @@ fi
 %{_bindir}/vmware-vgauth-smoketest
 
 %changelog
-* Tue Oct 07 2025 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2.el8.1
-- ovt-SDMP-Service-Discovery-Plugin.patch [RHEL-117388]
-- Resolves: RHEL-117388
-  ([CISA Major Incident] CVE-2025-41244 open-vm-tools: Local privilege escalation in open-vm-tools [rhel-8.10.z])
-
 * Wed Dec 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 12.3.5-2
 - ovt-Restart-tools-on-failure.patch [RHEL-17683]
 - Resolves: RHEL-17683