Bug 34271 - open-vm-tools new security issue CVE-2025-22247
Summary: open-vm-tools new security issue CVE-2025-22247
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-05-13 10:13 CEST by Nicolas Salguero
Modified: 2025-05-27 20:47 CEST (History)
3 users (show)

See Also:
Source RPM: open-vm-tools-12.3.5-2.mga9.src.rpm
CVE: CVE-2025-22247
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-13 10:13:55 CEST 
CVE-2025-22247 was announced here:
https://www.openwall.com/lists/oss-security/2025/05/12/2
Comment 1 Nicolas Salguero 2025-05-13 10:15:31 CEST 
Upstream fix: https://github.com/vmware/open-vm-tools/tree/CVE-2025-22247.patch

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => open-vm-tools-12.4.5-3.mga10.src.rpm, open-vm-tools-12.3.5-2.mga9.src.rpm
CVE: (none) => CVE-2025-22247
Status comment: (none) => Patch available from upstream

Comment 2 Lewis Smith 2025-05-13 21:02:10 CEST 
Assigning directly to you, David, as you seem to be by far the main commiter of this package.

Assignee: bugsquad => geiger.david68210

Comment 3 Nicolas Salguero 2025-05-21 10:47:14 CEST 
Fedora has issued an advisory on May 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDQBVVMNJB6EXDLSUNBCHZTNRBLXJEFU/

Status comment: Patch available from upstream => Patch available from upstream and fixed upstream in 12.5.2

Comment 4 Nicolas Salguero 2025-05-23 11:29:52 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM. (CVE-2025-22247)

References:
https://www.openwall.com/lists/oss-security/2025/05/12/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDQBVVMNJB6EXDLSUNBCHZTNRBLXJEFU/
========================

Updated packages in core/updates_testing:
========================
open-vm-tools-12.3.5-2.1.mga9
open-vm-tools-desktop-12.3.5-2.1.mga9
open-vm-tools-devel-12.3.5-2.1.mga9
open-vm-tools-salt-minion-12.3.5-2.1.mga9
open-vm-tools-sdmp-12.3.5-2.1.mga9
open-vm-tools-test-12.3.5-2.1.mga9

from SRPM:
open-vm-tools-12.3.5-2.1.mga9.src.rpm

Source RPM: open-vm-tools-12.4.5-3.mga10.src.rpm, open-vm-tools-12.3.5-2.mga9.src.rpm => open-vm-tools-12.3.5-2.mga9.src.rpm
Status comment: Patch available from upstream and fixed upstream in 12.5.2 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: geiger.david68210 => qa-bugs

katnatek 2025-05-23 19:26:31 CEST

Keywords: (none) => advisory

Comment 5 Herman Viaene 2025-05-26 11:13:25 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 32454, OK on clean install.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2025-05-27 03:01:26 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2025-05-27 20:47:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0166.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.