File CVE-2025-41244-1240-1300-SDMP.patch of Package open-vm-tools.40832
From 7b6f212c40f13060f97a715e838137cbab2f47ad Mon Sep 17 00:00:00 2001
From: John Wolfe <john.wolfe@broadcom.com>
Date: Wed, 17 Sep 2025 21:51:54 -0700
Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
Address CVE-2025-41244
- Disable (default) the execution of the SDMP get-versions.sh script.
With the Linux SDMP get-versions.sh script disabled, version information
of installed services will not be made available to VMware Aria.
All files being updated should be consider to have the copyright
updated to:
* Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
* The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
The 2025 Broadcom copyright information update is not part of this
patch set to allow the patch to be easily applied to previous
open-vm-tools source releases.
---
.../serviceDiscovery/serviceDiscovery.c | 34 ++++++++++++++++---
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
index 0da598f13..fdd81f82b 100644
--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL;
#define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
#define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE
+/*
+ * Defines the configuration to enable/disable version obtaining logic
+ */
+#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
+#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
+
/*
* Define the configuration to require at least one subscriber subscribed for
* the gdp message.
@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
*
* Construct final paths of the scripts that will be used for execution.
*
+ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
+ * entry; FALSE to skip it (derived from config).
+ *
*****************************************************************************
*/
static void
-ConstructScriptPaths(void)
+ConstructScriptPaths(Bool versionCheckEnabled)
{
int i;
#if !defined(OPEN_VM_TOOLS)
gchar *toolsInstallDir;
#endif
+ int insertIndex = 0;
if (gFullPaths != NULL) {
return;
}
gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
- ARRAYSIZE(gKeyScripts));
+ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
if (scriptInstallDir == NULL) {
#if defined(OPEN_VM_TOOLS)
scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void)
#endif
}
for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
+ /*
+ * Skip adding if:
+ * 1. Version check is disabled, AND
+ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
+ */
+ if (!versionCheckEnabled &&
+ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
+ continue;
+ }
KeyNameValue tmp;
tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
#if defined(_WIN32)
@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void)
#else
tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
#endif
- g_array_insert_val(gFullPaths, i, tmp);
+ g_array_insert_val(gFullPaths, insertIndex, tmp);
+ insertIndex++;
}
}
@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
}
};
gboolean disabled;
+ Bool versionCheckEnabled;
regData.regs = VMTools_WrapArray(regs,
sizeof *regs,
ARRAYSIZE(regs));
+ versionCheckEnabled = VMTools_ConfigGetBoolean(
+ ctx->config,
+ CONFGROUPNAME_SERVICEDISCOVERY,
+ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
+ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
/*
* Append scripts execution command line
*/
- ConstructScriptPaths();
+ ConstructScriptPaths(versionCheckEnabled);
disabled =
VMTools_ConfigGetBoolean(ctx->config,
--
2.47.3
