Hi,
On Wed, Jun 18, 2025 at 09:04:55AM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: udis...@packages.debian.org, Utopia Maintenance Team
> <pkg-utopia-maintain...@lists.alioth.debian.org>, Michael Biebl
> <bi...@debian.org>, car...@debian.org
> Control: affects -1 + src:udisks2
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Hi Release Team,
>
> Please unblock package udisks2
>
> Along with the DSA and the unstable update for libblockdev (for
> CVE-2025-6019), a udisks2 adding additional hardening to enforce that
> private mounts are mounted with 'nodev,nosuid', was uploaded.
>
> unblock udisks2/2.10.1-12.1
Forgot the attachment, apologies.
Regards,
Salvatore
diff -Nru udisks2-2.10.1/debian/changelog udisks2-2.10.1/debian/changelog
--- udisks2-2.10.1/debian/changelog 2025-02-25 12:57:07.000000000 +0100
+++ udisks2-2.10.1/debian/changelog 2025-06-09 16:29:29.000000000 +0200
@@ -1,3 +1,10 @@
+udisks2 (2.10.1-12.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * udiskslinuxfilesystemhelpers: Mount private mounts with 'nodev,nosuid'
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 09 Jun 2025 16:29:29 +0200
+
udisks2 (2.10.1-12) unstable; urgency=medium
* tests: Fix expected error message with util-linux 2.41.
diff -Nru udisks2-2.10.1/debian/patches/series
udisks2-2.10.1/debian/patches/series
--- udisks2-2.10.1/debian/patches/series 2025-02-25 12:57:07.000000000
+0100
+++ udisks2-2.10.1/debian/patches/series 2025-06-09 16:28:38.000000000
+0200
@@ -3,3 +3,4 @@
Do-not-overwrite-CPPFLAGS.patch
integration-test-Fix-change-label-test-with-exfatprogs-1..patch
tests-Fix-expected-error-message-with-util-linux-2.41.patch
+udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
diff -Nru
udisks2-2.10.1/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
udisks2-2.10.1/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
---
udisks2-2.10.1/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
1970-01-01 01:00:00.000000000 +0100
+++
udisks2-2.10.1/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
2025-06-09 16:29:29.000000000 +0200
@@ -0,0 +1,46 @@
+From 0007d5616f4dbc9ccd65b9094ffc18c6f776d06a Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbza...@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem to handle corrupted filesystem. This is consistent
+with mount options calculation for regular mounts.
+---
+ src/udiskslinuxfilesystemhelpers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfilesystemhelpers.c
b/src/udiskslinuxfilesystemhelpers.c
+index 7c5fc037..9eb7742c 100644
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar *device,
+
+ {
+ gchar *mountpoint = NULL;
++ const gchar *mount_opts;
+ GError *local_error = NULL;
+ gboolean unmount = FALSE;
+ gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar *device,
+ goto out;
+ }
+
++ mount_opts = "nodev,nosuid";
++ if (g_strcmp0 (fstype, "ext2") == 0 ||
++ g_strcmp0 (fstype, "ext3") == 0 ||
++ g_strcmp0 (fstype, "ext4") == 0 ||
++ g_strcmp0 (fstype, "jfs") == 0)
++ mount_opts = "nodev,nosuid,errors=remount-ro";
++
+ /* TODO: mount to a private mount namespace */
+- if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL,
&local_error))
++ if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL,
&local_error))
+ {
+ g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+ "Cannot mount %s at %s: %s",
+--
+2.49.0
+
