commit: 16072fc78769f65e1a5af36aefeaf4f88f4aefb1 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Jun 18 04:28:43 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Jun 18 04:33:18 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16072fc7
sys-libs/libblockdev: patch CVE-2025-6019 Quoting myself on the bug: > This is from https://www.openwall.com/lists/oss-security/2025/06/17/4 but > it's a little complicated in that it relies on a privilege escalation bug > from unprivileged -> polkit 'allow_active' (bug 958338) that we aren't > affected by. > > But nonetheless, supposing such another such LPE exists, this could form > part of a chain from 'allow_active' -> root, so it still matters. My intention is not to rush stabling 3.3.0 as just bumped to it (that commit bumping to 3.3.0 lands in the same push as this) and we were a bit behind before so want to give a little bit of time for any regressions to be reported. Combined with the above, we don't need to hurry s.t. we do it with no time in ~arch at all. Bug: https://bugs.gentoo.org/958338 Bug: https://bugs.gentoo.org/958339 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/libblockdev-3.3.0-CVE-2025-6019.patch | 24 ++++++++++++++++++++++ sys-libs/libblockdev/libblockdev-3.3.0.ebuild | 1 + 2 files changed, 25 insertions(+) diff --git a/sys-libs/libblockdev/files/libblockdev-3.3.0-CVE-2025-6019.patch b/sys-libs/libblockdev/files/libblockdev-3.3.0-CVE-2025-6019.patch new file mode 100644 index 000000000000..f893e0ab00e9 --- /dev/null +++ b/sys-libs/libblockdev/files/libblockdev-3.3.0-CVE-2025-6019.patch @@ -0,0 +1,24 @@ +https://bugs.gentoo.org/958339 +https://www.openwall.com/lists/oss-security/2025/06/17/5 +https://www.openwall.com/lists/oss-security/2025/06/17/5/1 + +From 8e072f794744bd17c57cceabb3884d3f0f6a1602 Mon Sep 17 00:00:00 2001 +From: Thomas Blume <[email protected]> +Date: Fri, 16 May 2025 14:27:10 +0200 +Subject: [PATCH] dont allow suid and dev set on fs resize + +--- a/src/plugins/fs/generic.c ++++ b/src/plugins/fs/generic.c +@@ -683,7 +683,9 @@ static gchar* fs_mount (const gchar *device, gchar *fstype, gboolean read_only, + "Failed to create temporary directory for mounting '%s'.", device); + return NULL; + } +- ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "ro" : NULL, NULL, &l_error); ++ ++ ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "nosuid,nodev,ro" : "nosuid,nodev", NULL, &l_error); ++ + if (!ret) { + g_propagate_prefixed_error (error, l_error, "Failed to mount '%s': ", device); + g_rmdir (mountpoint); +-- +2.48.1 diff --git a/sys-libs/libblockdev/libblockdev-3.3.0.ebuild b/sys-libs/libblockdev/libblockdev-3.3.0.ebuild index a9e3c3e39b47..be228419698f 100644 --- a/sys-libs/libblockdev/libblockdev-3.3.0.ebuild +++ b/sys-libs/libblockdev/libblockdev-3.3.0.ebuild @@ -88,6 +88,7 @@ PATCHES=( "${FILESDIR}/${PN}-3.3.0-fix-bashism.patch" "${FILESDIR}/${PN}-3.3.0-tests-skip-vdo.patch" "${FILESDIR}/${PN}-3.3.0-tests-nvme.patch" + "${FILESDIR}/${PN}-3.3.0-CVE-2025-6019.patch" ) pkg_setup() {
