diff mbox series

[kirkstone,meta-oe,2/2] udisks2: Hardening measure of CVE-2025-6019

Message ID 20250703110329.860545-2-changqing.li@windriver.com
State New
Headers show
Series [kirkstone,meta-oe,1/2] libblockdev: fix CVE-2025-6019 | expand

Commit Message

Changqing Li July 3, 2025, 11:03 a.m. UTC 
From: Changqing Li <changqing.li@windriver.com>

Refer [1], CVE-2025-6019 is strongly related to udisk daemon, and
this is a hardening measure related to this.

[1] https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
[2] https://security-tracker.debian.org/tracker/CVE-2025-6019
[3] https://ubuntu.com/blog/udisks-libblockdev-lpe-vulnerability-fixes-available

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../udisks/udisks2/CVE-2025-6019.patch        | 51 +++++++++++++++++++
 .../recipes-support/udisks/udisks2_2.9.4.bb   |  3 +-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch
new file mode 100644
index 0000000000..2e94c8497f
--- /dev/null
+++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch
@@ -0,0 +1,51 @@ 
+From d0d04a381036b79df91616552706d515639bb762 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem types to handle an corrupted filesystem. This is
+consistent with mount options calculation for regular mounts.
+
+CVE: CVE-2025-6019
+Upstream-Status: Backport [ https://github.com/storaged-project/udisks/commit/5e7277debea926370e587408517560afe87d28c9 ]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/udiskslinuxfilesystemhelpers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c
+index 7c5fc037..9eb7742c 100644
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
+ 
+ {
+   gchar *mountpoint = NULL;
++  const gchar *mount_opts;
+   GError *local_error = NULL;
+   gboolean unmount = FALSE;
+   gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
+               goto out;
+             }
+ 
++          mount_opts = "nodev,nosuid";
++          if (g_strcmp0 (fstype, "ext2") == 0 ||
++              g_strcmp0 (fstype, "ext3") == 0 ||
++              g_strcmp0 (fstype, "ext4") == 0 ||
++              g_strcmp0 (fstype, "jfs") == 0)
++            mount_opts = "nodev,nosuid,errors=remount-ro";
++
+           /* TODO: mount to a private mount namespace */
+-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error))
++          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error))
+             {
+               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+                            "Cannot mount %s at %s: %s",
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
index 3de5557238..10d564658c 100644
--- a/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
+++ b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
@@ -17,7 +17,8 @@  DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
 
 RDEPENDS:${PN} = "acl"
 
-SRC_URI = "git://github.com/storaged-project/udisks.git;branch=2.9.x-branch;protocol=https"
+SRC_URI = "git://github.com/storaged-project/udisks.git;branch=2.9.x-branch;protocol=https \
+           file://CVE-2025-6019.patch "
 SRCREV = "001c486e6d099ed33e2de4f5c73c03e3ee180f81"
 S = "${WORKDIR}/git"