Package: open-vm-tools | Debian Sources

Package: open-vm-tools / 2:12.2.0-1+deb12u3

Metadata

Package	Version	Patches format
open-vm-tools	2:12.2.0-1+deb12u3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
use debian pam \| (download)	open-vm-tools/services/vmtoolsd/Makefile.am \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	---
debian/scsi udev rule \| (download)	open-vm-tools/udev/99-vmware-scsi-udev.rules \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	---
debian/grpc_1.51 \| (download)	open-vm-tools/services/plugins/containerInfo/Makefile.am \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	---
2023 20867 Remove some dead code.patch \| (download)	open-vm-tools/services/plugins/vix/vixTools.c \| 102 0 + 102 - 0 ! 1 file changed, 102 deletions(-)	[patch] remove some dead code. Address CVE-2023-20867. Remove some authentication types which were deprecated long ago and are no longer in use. These are dead code.
CVE 2023 20900.patch \| (download)	open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c \| 9 8 + 1 - 0 ! 1 file changed, 8 insertions(+), 1 deletion(-)	[patch] address cve-2023-20900 VGAuth: Allow only X509 certs to verify the SAML token signature.
CVE 2023 34059.patch \| (download)	open-vm-tools/services/vmtoolsd/mainPosix.c \| 76 76 + 0 - 0 ! open-vm-tools/vmware-user-suid-wrapper/main.c \| 26 3 + 23 - 0 ! 2 files changed, 79 insertions(+), 23 deletions(-)	[patch] address cve-2023-34059 Fix file descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapper on Linux. - Moving the privilege drop logic (dropping privilege to the real uid and gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
CVE 2023 34058.patch \| (download)	open-vm-tools/vgauth/common/certverify.c \| 145 145 + 0 - 0 ! open-vm-tools/vgauth/common/certverify.h \| 4 4 + 0 - 0 ! open-vm-tools/vgauth/common/prefs.h \| 2 2 + 0 - 0 ! open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c \| 14 14 + 0 - 0 ! 4 files changed, 165 insertions(+)	[patch] address cve-2023-34058 VGAuth: don't accept tokens with unrelated certs.
CVE 2025 22247 1100 1225 VGAuth updates.patch \| (download)	open-vm-tools/vgauth/common/VGAuthUtil.c \| 33 33 + 0 - 0 ! open-vm-tools/vgauth/common/VGAuthUtil.h \| 2 2 + 0 - 0 ! open-vm-tools/vgauth/common/prefs.h \| 3 3 + 0 - 0 ! open-vm-tools/vgauth/common/usercheck.c \| 28 21 + 7 - 0 ! open-vm-tools/vgauth/serviceImpl/alias.c \| 74 73 + 1 - 0 ! open-vm-tools/vgauth/serviceImpl/service.c \| 27 27 + 0 - 0 ! open-vm-tools/vgauth/serviceImpl/serviceInt.h \| 1 1 + 0 - 0 ! 7 files changed, 160 insertions(+), 8 deletions(-)	[patch] validate user names and file paths Prevent usage of illegal characters in user names and file paths. Also, disallow unexpected symlinks in file paths. This patch contains changes to common source files not applicable to open-vm-tools. All files being updated should be consider to have the copyright to be updated to: * Copyright (c) XXXX-2025 Broadcom. All Rights Reserved. * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. The 2025 Broadcom copyright information update is not part of this patch set to allow the patch to be easily applied to previous open-vm-tools source releases.

1