From cc88298240d9f530be76abed174322a96b45e6cd Mon Sep 17 00:00:00 2001
From: qhw01063182 <qhw01063182@alibaba-inc.com>
Date: Fri, 20 Jun 2025 16:16:22 +0800
Subject: [PATCH] Fix CVE-2025-6019

Signed-off-by: qhw01063182 <qhw01063182@alibaba-inc.com>
---
 ..._allow_suid_and_dev_set_on_fs_resize.patch | 23 +++++++++++++++++++
 libblockdev.spec                              |  7 +++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 0006-dont_allow_suid_and_dev_set_on_fs_resize.patch

diff --git a/0006-dont_allow_suid_and_dev_set_on_fs_resize.patch b/0006-dont_allow_suid_and_dev_set_on_fs_resize.patch
new file mode 100644
index 0000000..dc18980
--- /dev/null
+++ b/0006-dont_allow_suid_and_dev_set_on_fs_resize.patch
@@ -0,0 +1,23 @@
+From 46b54414f66e965e3c37f8f51e621f96258ae22e Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Fri, 16 May 2025 14:27:10 +0200
+Subject: [PATCH] Don't allow suid and dev set on fs resize
+
+Fixes: CVE-2025-6019
+---
+ src/plugins/fs/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/fs/generic.c b/src/plugins/fs/generic.c
+index 69333944..4a0c7cf8 100644
+--- a/src/plugins/fs/generic.c
++++ b/src/plugins/fs/generic.c
+@@ -649,7 +649,7 @@ static gchar* fs_mount (const gchar *device, gchar *fstype, gboolean read_only,
+                              "Failed to create temporary directory for mounting '%s'.", device);
+                 return NULL;
+             }
+-            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "ro" : NULL, NULL, &l_error);
++            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "nosuid,nodev,ro" : "nosuid,nodev", NULL, &l_error);
+             if (!ret) {
+                 g_propagate_prefixed_error (error, l_error, "Failed to mount '%s': ", device);
+                 g_rmdir (mountpoint);
diff --git a/libblockdev.spec b/libblockdev.spec
index 8143b0e..3dd2347 100644
--- a/libblockdev.spec
+++ b/libblockdev.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %define with_python2 1
 %define with_python3 1
 %define with_gtk_doc 1
@@ -125,7 +126,7 @@
 
 Name:        libblockdev
 Version:     2.28
-Release:     6%{?dist}
+Release:     6%{anolis_release}%{?dist}
 Summary:     A library for low-level manipulation with block devices
 License:     LGPLv2+
 URL:         https://github.com/storaged-project/libblockdev
@@ -135,6 +136,7 @@ Patch1:      0002-tests-Fix-test_swapon_pagesize-on-systems-with-64k-p.patch
 Patch2:      0003-part-Fix-segfault-when-adding-a-partition-too-big-fo.patch
 Patch3:      0004-lvm-Add-a-function-to-activate-LVs-in-shared-mode.patch
 Patch4:      0005-lvm-Add-support-for-starting-and-stopping-VG-locking.patch
+Patch5:      0006-dont_allow_suid_and_dev_set_on_fs_resize.patch
 
 BuildRequires: make
 BuildRequires: glib2-devel
@@ -991,6 +993,9 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 %files plugins-all
 
 %changelog
+* Fri Jun 20 2025 Hong Wei Qin <qhw01063182@alibaba-inc.com> - 2.28-10.1
+- Fix CVE-2025-6019
+
 * Wed Nov 08 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-10
 - lvm: Add support for starting and stopping VG locking
   Resolves: RHEL-15923
-- 
Gitee