diff --git a/0004-fix-CVE-2025-6019-udiskslinuxfilesystemhelpers-mount-with-nosuid-nodev.patch b/0004-fix-CVE-2025-6019-udiskslinuxfilesystemhelpers-mount-with-nosuid-nodev.patch new file mode 100644 index 0000000000000000000000000000000000000000..230327e323991d6778ce900a7ee78b860c5d7345 --- /dev/null +++ b/0004-fix-CVE-2025-6019-udiskslinuxfilesystemhelpers-mount-with-nosuid-nodev.patch @@ -0,0 +1,46 @@ +From 5e7277debea926370e587408517560afe87d28c9 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Wed, 4 Jun 2025 15:26:46 +0200 +Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with + 'nodev,nosuid' + +The private mount done in take_filesystem_ownership() should always +default to 'nodev,nosuid' for security and 'errors=remount-ro' for +selected filesystem types to handle an corrupted filesystem. This is +consistent with mount options calculation for regular mounts. +--- + src/udiskslinuxfilesystemhelpers.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c +index 7c5fc037..9eb7742c 100644 +--- a/src/udiskslinuxfilesystemhelpers.c ++++ b/src/udiskslinuxfilesystemhelpers.c +@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar *device, + + { + gchar *mountpoint = NULL; ++ const gchar *mount_opts; + GError *local_error = NULL; + gboolean unmount = FALSE; + gboolean success = TRUE; +@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar *device, + goto out; + } + ++ mount_opts = "nodev,nosuid"; ++ if (g_strcmp0 (fstype, "ext2") == 0 || ++ g_strcmp0 (fstype, "ext3") == 0 || ++ g_strcmp0 (fstype, "ext4") == 0 || ++ g_strcmp0 (fstype, "jfs") == 0) ++ mount_opts = "nodev,nosuid,errors=remount-ro"; ++ + /* TODO: mount to a private mount namespace */ +- if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error)) ++ if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error)) + { + g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED, + "Cannot mount %s at %s: %s", +-- +2.33.0 + diff --git a/udisks2.spec b/udisks2.spec index bbf469c456b1872b2b1d49a2ad62892726304ee2..048f389a5be07b128402e364d47e9ae36a279c7a 100644 --- a/udisks2.spec +++ b/udisks2.spec @@ -19,7 +19,7 @@ Name: udisks2 Summary: Disk Manager Version: 2.10.1 -Release: 4 +Release: 5 License: GPL-2.0+ and LGPL-2.0+ Group: System Environment/Libraries URL: https://github.com/storaged-project/udisks @@ -28,6 +28,7 @@ Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{v Patch0001: 0001-mdraid-Expose-consistency_policy-sysfs-value.patch Patch0002: 0002-udiskslinuxmanager-use-dbus-interface-after-free.patch Patch0003: 0003-udiskslinuxblock-Fix-leaking-string.patch +Patch0004: 0004-fix-CVE-2025-6019-udiskslinuxfilesystemhelpers-mount-with-nosuid-nodev.patch BuildRequires: make BuildRequires: glib2-devel >= %{glib2_version} @@ -318,6 +319,9 @@ fi %changelog +* Mon Jun 23 2025 zhangjian - 2.10.1-5 +- fix CVE-2025-6019 + * Tue Aug 13 2024 cenhuilin - 2.10.1-4 - udiskslinuxblock: Fix leaking string