[gentoo-commits] repo/gentoo:master commit in: sys-fs/udisks/files/, sys-fs/udisks/

[Sam James]

commit:     ce989574f5a86618ea4c389c9e1810c03c8b6a5e
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 18 04:32:14 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 18 04:33:24 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce989574

sys-fs/udisks: patch CVE-2025-6019

Depend on a fixed version of libblockdev too.

Bug: https://bugs.gentoo.org/958338
Bug: https://bugs.gentoo.org/958339
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../udisks/files/udisks-2.10.1-CVE-2025-6019.patch |  43 ++++++
 sys-fs/udisks/udisks-2.10.1-r4.ebuild              | 149 +++++++++++++++++++++
 2 files changed, 192 insertions(+)

diff --git a/sys-fs/udisks/files/udisks-2.10.1-CVE-2025-6019.patch 
b/sys-fs/udisks/files/udisks-2.10.1-CVE-2025-6019.patch
new file mode 100644
index 000000000000..b4d468f6120a
--- /dev/null
+++ b/sys-fs/udisks/files/udisks-2.10.1-CVE-2025-6019.patch
@@ -0,0 +1,43 @@
+https://bugs.gentoo.org/958339
+https://www.openwall.com/lists/oss-security/2025/06/17/5
+https://www.openwall.com/lists/oss-security/2025/06/17/5/2
+
+From 0007d5616f4dbc9ccd65b9094ffc18c6f776d06a Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbza...@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem to handle corrupted filesystem. This is consistent
+with mount options calculation for regular mounts.
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
+ 
+ {
+   gchar *mountpoint = NULL;
++  const gchar *mount_opts;
+   GError *local_error = NULL;
+   gboolean unmount = FALSE;
+   gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
+               goto out;
+             }
+ 
++          mount_opts = "nodev,nosuid";
++          if (g_strcmp0 (fstype, "ext2") == 0 ||
++              g_strcmp0 (fstype, "ext3") == 0 ||
++              g_strcmp0 (fstype, "ext4") == 0 ||
++              g_strcmp0 (fstype, "jfs") == 0)
++            mount_opts = "nodev,nosuid,errors=remount-ro";
++
+           /* TODO: mount to a private mount namespace */
+-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, 
&local_error))
++          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, 
&local_error))
+             {
+               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+                            "Cannot mount %s at %s: %s",
+-- 
+2.49.0

diff --git a/sys-fs/udisks/udisks-2.10.1-r4.ebuild 
b/sys-fs/udisks/udisks-2.10.1-r4.ebuild
new file mode 100644
index 000000000000..a5b2abc2150f
--- /dev/null
+++ b/sys-fs/udisks/udisks-2.10.1-r4.ebuild
@@ -0,0 +1,149 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1 linux-info systemd tmpfiles udev xdg-utils
+
+DESCRIPTION="Daemon providing interfaces to work with storage devices"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/udisks";
+SRC_URI="https://github.com/storaged-project/udisks/releases/download/${P}/${P}.tar.bz2";
+
+LICENSE="LGPL-2+ GPL-2+"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~mips ~ppc64 ~riscv ~x86"
+IUSE="acl +daemon debug elogind +introspection lvm nls selinux systemd"
+
+REQUIRED_USE="
+       ?? ( elogind systemd )
+       elogind? ( daemon )
+       systemd? ( daemon )
+"
+
+COMMON_DEPEND="
+       >=sys-auth/polkit-0.114[daemon(+)]
+       >=sys-libs/libblockdev-3.3.0:=[cryptsetup,lvm?,nvme]
+       virtual/udev
+       acl? ( virtual/acl )
+       daemon? (
+               >=dev-libs/glib-2.68:2
+               >=dev-libs/libatasmart-0.19
+               >=dev-libs/libgudev-165:=
+       )
+       elogind? ( >=sys-auth/elogind-219 )
+       introspection? ( >=dev-libs/gobject-introspection-1.30:= )
+       lvm? ( sys-fs/lvm2 )
+       systemd? ( >=sys-apps/systemd-209 )
+"
+# util-linux -> mount, umount, swapon, swapoff (see also #403073)
+RDEPEND="${COMMON_DEPEND}
+       >=sys-block/parted-3
+       >=sys-apps/util-linux-2.30
+       selinux? ( sec-policy/selinux-devicekit )
+"
+DEPEND="${COMMON_DEPEND}
+       >=sys-kernel/linux-headers-3.1
+"
+BDEPEND="
+       app-text/docbook-xsl-stylesheets
+       >=dev-util/gdbus-codegen-2.32
+       >=dev-build/gtk-doc-am-1.3
+       virtual/pkgconfig
+       nls? ( >=sys-devel/gettext-0.19.8 )
+       dev-libs/gobject-introspection-common
+       dev-build/autoconf-archive
+"
+# If adding a eautoreconf, then these might be needed at buildtime:
+# dev-libs/gobject-introspection-common
+# dev-build/autoconf-archive
+
+DOCS=( AUTHORS HACKING NEWS README.md )
+
+PATCHES=(
+       "${FILESDIR}"/${P}-BLKRRPART_harder.patch
+       "${FILESDIR}"/${P}-targetcli_config.json_netif_timeout.patch
+       "${FILESDIR}"/${P}-udiskslinuxmanager_use_after_free.patch
+       "${FILESDIR}"/${P}-udiskslinuxblock_survive_missing_fstab.patch
+
+       "${FILESDIR}"/${PN}-2.10.1-slibtool-export-dynamic.patch
+       "${FILESDIR}"/${PN}-2.10.1-CVE-2025-6019.patch
+)
+
+pkg_setup() {
+       # Listing only major arch's here to avoid tracking kernel's defconfig
+       if use amd64 || use arm || use ppc || use ppc64 || use x86; then
+               CONFIG_CHECK="~!IDE" #319829
+               CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" #412377
+               CONFIG_CHECK+=" ~NLS_UTF8" #425562
+               kernel_is lt 3 10 && CONFIG_CHECK+=" ~USB_SUSPEND" #331065, 
#477278
+               linux-info_pkg_setup
+       fi
+}
+
+src_prepare() {
+       xdg_environment_reset
+       default
+
+       if ! use systemd ; then
+               sed -i -e 's:libsystemd-login:&disable:' configure || die
+       fi
+
+       # Added for bug # 782061
+       eautoreconf
+}
+
+src_configure() {
+       local myeconfargs=(
+               --enable-btrfs
+               --disable-gtk-doc
+               --disable-static
+               --localstatedir="${EPREFIX}"/var
+               --with-html-dir="${EPREFIX}"/usr/share/gtk-doc/html
+               --with-modprobedir="${EPREFIX}"/lib/modprobe.d
+               --with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+               --with-tmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d
+               --with-udevdir="${EPREFIX}$(get_udevdir)"
+               $(use_enable acl)
+               $(use_enable daemon)
+               $(use_enable debug)
+               $(use_enable introspection)
+               $(use_enable lvm lvm2)
+               $(use_enable nls)
+       )
+       econf "${myeconfargs[@]}"
+}
+
+src_install() {
+       default
+       find "${ED}" -type f -name "*.la" -delete || die
+       keepdir /var/lib/udisks2 #383091
+
+       rm -rf "${ED}"/usr/share/bash-completion
+       dobashcomp data/completions/udisksctl
+}
+
+pkg_preinst() {
+       # Remove gtk-doc symlink, #597628
+       if [[ -L "${EROOT}"/usr/share/gtk-doc/html/udisks2 ]]; then
+               rm "${EROOT}"/usr/share/gtk-doc/html/udisks2 || die
+       fi
+}
+
+pkg_postinst() {
+       udev_reload
+
+       # TODO: obsolete with tmpfiles_process?
+       # mkdir -p "${EROOT}"/run #415987
+
+       tmpfiles_process udisks2.conf
+
+       # See pkg_postinst() of >=sys-apps/baselayout-2.1-r1. Keep in sync?
+       if ! grep -qs "^tmpfs.*/run " "${EROOT}"/proc/mounts ; then
+               echo
+               ewarn "You should reboot the system now to get /run mounted 
with tmpfs!"
+       fi
+}
+
+pkg_postrm() {
+       udev_reload
+}