From 0908fca33f647d4852eeab47ff180d4c1d42f019 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Sat, 21 Jun 2025 11:53:27 +0800 Subject: [PATCH] Harden temporary private mounts (CVE-2025-6019) --- ...slinuxfilesystemhelpers_nodev,nosuid.patch | 28 +++++++++++++++++++ udisks2.spec | 6 +++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 udisks-2.9.0-udiskslinuxfilesystemhelpers_nodev,nosuid.patch diff --git a/udisks-2.9.0-udiskslinuxfilesystemhelpers_nodev,nosuid.patch b/udisks-2.9.0-udiskslinuxfilesystemhelpers_nodev,nosuid.patch new file mode 100644 index 0000000..58476fd --- /dev/null +++ b/udisks-2.9.0-udiskslinuxfilesystemhelpers_nodev,nosuid.patch @@ -0,0 +1,28 @@ +diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c +index 040db1d..7c529aa 100644 +--- a/src/udiskslinuxfilesystemhelpers.c ++++ b/src/udiskslinuxfilesystemhelpers.c +@@ -86,6 +86,7 @@ gboolean take_filesystem_ownership (const gchar *device, + { + + gchar *mountpoint = NULL; ++ const gchar *mount_opts; + GError *local_error = NULL; + gboolean unmount = FALSE; + gboolean success = TRUE; +@@ -114,7 +115,14 @@ gboolean take_filesystem_ownership (const gchar *device, + goto out; + } + +- if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error)) ++ mount_opts = "nodev,nosuid"; ++ if (g_strcmp0 (fstype, "ext2") == 0 || ++ g_strcmp0 (fstype, "ext3") == 0 || ++ g_strcmp0 (fstype, "ext4") == 0 || ++ g_strcmp0 (fstype, "jfs") == 0) ++ mount_opts = "nodev,nosuid,errors=remount-ro"; ++ ++ if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error)) + { + g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED, + "Cannot mount %s at %s: %s", diff --git a/udisks2.spec b/udisks2.spec index fb5456d..0936fe1 100644 --- a/udisks2.spec +++ b/udisks2.spec @@ -59,7 +59,7 @@ Name: udisks2 Summary: Disk Manager Version: 2.9.0 -Release: 7 +Release: 8 License: GPL-2.0+ and LGPL-2.0+ Group: System Environment/Libraries URL: https://github.com/storaged-project/udisks @@ -70,6 +70,7 @@ Patch2: 0002-CVE-2021-3802.patch Patch3: 0003-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch Patch4: 0004-udisksctl-Guard-object-lookup.patch Patch5: 0005-udiskslinuxmanager-use-dbus-interface-after-free.patch +Patch6: udisks-2.9.0-udiskslinuxfilesystemhelpers_nodev,nosuid.patch BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version} @@ -441,6 +442,9 @@ udevadm trigger %endif %changelog +* Sat Jun 21 2025 Funda Wang - 2.9.0-8 +- Harden temporary private mounts (CVE-2025-6019) + * Tue Jun 18 2024 cenhuilin - 2.9.0-7 - udiskslinuxmanager:use dbus interface after free -- Gitee