commit udisks2 for openSUSE:Factory

Source-Sync Fri, 27 Feb 2026 08:03:18 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package udisks2 for openSUSE:Factory checked 
in at 2026-02-27 17:01:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/udisks2 (Old)
 and      /work/SRC/openSUSE:Factory/.udisks2.new.29461 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "udisks2"

Fri Feb 27 17:01:35 2026 rev:58 rq:1335266 version:2.11.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/udisks2/udisks2.changes  2026-02-14 
21:36:21.046255799 +0100
+++ /work/SRC/openSUSE:Factory/.udisks2.new.29461/udisks2.changes       
2026-02-27 17:02:53.818679451 +0100
@@ -1,0 +2,10 @@
+Thu Feb 26 09:31:26 UTC 2026 - Thomas Blume <[email protected]>
+
+- (CVE-2026-26104) VUL-0: missing authorization check in `handle_header_backup`
+  (bsc#1258867)
+  + add 0001-udiskslinuxencrypted-Add-missing-polkit-check-for-He.patch
+- (CVE-2026-26103) VUL-0: missing authorization check in 
`handle_restore_encrypted_header`
+  (bsc#1258868)
+  + add 0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch
+
+-------------------------------------------------------------------

New:
----
  0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch
  0001-udiskslinuxencrypted-Add-missing-polkit-check-for-He.patch

----------(New B)----------
  New:  (bsc#1258868)
  + add 0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch
  New:  (bsc#1258867)
  + add 0001-udiskslinuxencrypted-Add-missing-polkit-check-for-He.patch
- (CVE-2026-26103) VUL-0: missing authorization check in 
`handle_restore_encrypted_header`
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ udisks2.spec ++++++
--- /var/tmp/diff_new_pack.udOi7P/_old  2026-02-27 17:02:54.642713647 +0100
+++ /var/tmp/diff_new_pack.udOi7P/_new  2026-02-27 17:02:54.646713813 +0100
@@ -35,6 +35,8 @@
 
 Patch0:         harden_udisks2.service.patch
 Patch1:         0001-move-config-files-to-usr-etc.patch
+Patch2:         0001-udiskslinuxencrypted-Add-missing-polkit-check-for-He.patch
+Patch3:         0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch
 %if 0%{?suse_version} > 1500
 BuildRequires:  autoconf
 BuildRequires:  automake

++++++ 0001-udiskslinuxblock-Add-missing-polkit-check-for-Restor.patch ++++++
>From baa7b9820e4dfc5ba813eee03b3ae37acb31e570 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <[email protected]>
Date: Fri, 13 Feb 2026 16:11:54 +0100
Subject: [PATCH] udiskslinuxblock: Add missing polkit check for
 RestoreEncryptedHeader()

The handle_restore_encrypted_header() method call handler was missing
a polkit authorization check, allowing unprivileged local users to freely
invoke this D-Bus method.

CVE-ID: CVE-2026-26103

Reported-by: Asim Viladi Oglu Manizada <[email protected]>
---
 src/udiskslinuxblock.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/udiskslinuxblock.c b/src/udiskslinuxblock.c
index 174efe2a..55703f92 100644
--- a/src/udiskslinuxblock.c
+++ b/src/udiskslinuxblock.c
@@ -4244,6 +4244,7 @@ handle_restore_encrypted_header (UDisksBlock           
*encrypted,
     UDisksBlock *block;
     UDisksDaemon *daemon;
     UDisksState *state = NULL;
+    const gchar *action_id;
     uid_t caller_uid;
     GError *error = NULL;
     UDisksBaseJob *job = NULL;
@@ -4268,6 +4269,33 @@ handle_restore_encrypted_header (UDisksBlock           
*encrypted,
         goto out;
       }
 
+    action_id = "org.freedesktop.udisks2.modify-device";
+    if (!udisks_daemon_util_setup_by_user (daemon, object, caller_uid))
+      {
+        if (udisks_block_get_hint_system (block))
+          {
+            action_id = "org.freedesktop.udisks2.modify-device-system";
+          }
+        else if (!udisks_daemon_util_on_user_seat (daemon, object, caller_uid))
+          {
+            action_id = "org.freedesktop.udisks2.modify-device-other-seat";
+          }
+      }
+
+    if (!udisks_daemon_util_check_authorization_sync (daemon,
+                                                      object,
+                                                      action_id,
+                                                      options,
+                                                      /* Translators: Shown in 
authentication dialog when restoring
+                                                       * a LUKS header on a 
device.
+                                                       *
+                                                       * Do not translate 
$(device.name), it's a placeholder and will
+                                                       * be replaced by the 
name of the drive/device in question
+                                                       */
+                                                      N_("Authentication is 
required to restore the encrypted header on $(device.name)"),
+                                                      invocation))
+      goto out;
+
     job = udisks_daemon_launch_simple_job (daemon,
                                            UDISKS_OBJECT (object),
                                            "block-restore-encrypted-header",
-- 
2.53.0


++++++ 0001-udiskslinuxencrypted-Add-missing-polkit-check-for-He.patch ++++++
>From cd946e277702e3ebd22a15057a83d7336dfbeaf5 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <[email protected]>
Date: Fri, 13 Feb 2026 17:07:53 +0100
Subject: [PATCH] udiskslinuxencrypted: Add missing polkit check for
 HeaderBackup()

The handle_header_backup() method call handler was missing a polkit
authorization check, allowing unprivileged local users to freely invoke
this D-Bus method.

CVE-ID: CVE-2026-26104

Reported-by: Asim Viladi Oglu Manizada <[email protected]>
---
 src/udiskslinuxencrypted.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/udiskslinuxencrypted.c b/src/udiskslinuxencrypted.c
index 7d9176d3..dd7664cc 100644
--- a/src/udiskslinuxencrypted.c
+++ b/src/udiskslinuxencrypted.c
@@ -1371,6 +1371,7 @@ handle_header_backup (UDisksEncrypted       *encrypted,
     UDisksBlock *block;
     UDisksDaemon *daemon;
     UDisksState *state = NULL;
+    const gchar *action_id;
     uid_t caller_uid;
     GError *error = NULL;
     UDisksBaseJob *job = NULL;
@@ -1407,6 +1408,24 @@ handle_header_backup (UDisksEncrypted       *encrypted,
         goto out;
       }
 
+    action_id = "org.freedesktop.udisks2.open-device";
+    if (udisks_block_get_hint_system (block))
+      action_id = "org.freedesktop.udisks2.open-device-system";
+
+    if (!udisks_daemon_util_check_authorization_sync (daemon,
+                                                      object,
+                                                      action_id,
+                                                      options,
+                                                      /* Translators: Shown in 
authentication dialog when backing up
+                                                       * a LUKS header of a 
device.
+                                                       *
+                                                       * Do not translate 
$(device.name), it's a placeholder and will
+                                                       * be replaced by the 
name of the drive/device in question
+                                                       */
+                                                      N_("Authentication is 
required to back up the encrypted header of $(device.name)"),
+                                                      invocation))
+      goto out;
+
     job = udisks_daemon_launch_simple_job (daemon,
                                            UDISKS_OBJECT (object),
                                            "encrypted-header-backup",
-- 
2.53.0

commit udisks2 for openSUSE:Factory

Reply via email to