Bug#1107968: marked as done (unblock: libblockdev/3.3.0-2.1)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1107968: marked as done (unblock: libblockdev/3.3.0-2.1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 18 Jun 2025 10:37:02 +0000
Message-id: <[🔎] handler.1107968.D1107968.1750242850279693.ackdone@bugs.debian.org>
Reply-to: 1107968@bugs.debian.org
References: <E1uRq7K-005Mqy-1u@respighi.debian.org> <[🔎] 175023016438.2983149.17941575349840581952.reportbug@eldamar.lan>

Your message dated Wed, 18 Jun 2025 10:34:06 +0000
with message-id <E1uRq7K-005Mqy-1u@respighi.debian.org>
and subject line unblock libblockdev
has caused the Debian Bug report #1107968,
regarding unblock: libblockdev/3.3.0-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107968
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libblockdev/3.3.0-2.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 Jun 2025 09:02:44 +0200
Message-id: <[🔎] 175023016438.2983149.17941575349840581952.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libblockdev@packages.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>, Michael Biebl <biebl@debian.org>, carnil@debian.org
Control: affects -1 + src:libblockdev
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package libblockdev

libblockdev is affected by CVE-2025-6019, a local privilege escalation
to root which can be exploited via the udisks2 deamon. We have
released DSA 5943-1 yesterday for it.

unblock libblockdev/3.3.0-2.1

and if possible let it migrate rather soon into testing.

Regards,
Salvatore

diff -Nru libblockdev-3.3.0/debian/changelog libblockdev-3.3.0/debian/changelog
--- libblockdev-3.3.0/debian/changelog	2025-02-27 22:12:11.000000000 +0100
+++ libblockdev-3.3.0/debian/changelog	2025-06-09 15:06:46.000000000 +0200
@@ -1,3 +1,10 @@
+libblockdev (3.3.0-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * dont allow suid and dev set on fs resize (CVE-2025-6019)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 09 Jun 2025 15:06:46 +0200
+
 libblockdev (3.3.0-2) unstable; urgency=medium
 
   * autopkgtest: Add dependency on vdo.
diff -Nru libblockdev-3.3.0/debian/patches/dont-allow-suid-and-dev-set-on-fs-resize.patch libblockdev-3.3.0/debian/patches/dont-allow-suid-and-dev-set-on-fs-resize.patch
--- libblockdev-3.3.0/debian/patches/dont-allow-suid-and-dev-set-on-fs-resize.patch	1970-01-01 01:00:00.000000000 +0100
+++ libblockdev-3.3.0/debian/patches/dont-allow-suid-and-dev-set-on-fs-resize.patch	2025-06-09 15:06:46.000000000 +0200
@@ -0,0 +1,27 @@
+From 8e072f794744bd17c57cceabb3884d3f0f6a1602 Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Fri, 16 May 2025 14:27:10 +0200
+Subject: [PATCH] dont allow suid and dev set on fs resize
+
+---
+ src/plugins/fs/generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/fs/generic.c b/src/plugins/fs/generic.c
+index 69333944..1a6dd960 100644
+--- a/src/plugins/fs/generic.c
++++ b/src/plugins/fs/generic.c
+@@ -683,7 +683,9 @@ static gchar* fs_mount (const gchar *device, gchar *fstype, gboolean read_only,
+                              "Failed to create temporary directory for mounting '%s'.", device);
+                 return NULL;
+             }
+-            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "ro" : NULL, NULL, &l_error);
++
++            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "nosuid,nodev,ro" : "nosuid,nodev", NULL, &l_error);
++
+             if (!ret) {
+                 g_propagate_prefixed_error (error, l_error, "Failed to mount '%s': ", device);
+                 g_rmdir (mountpoint);
+-- 
+2.48.1
+
diff -Nru libblockdev-3.3.0/debian/patches/series libblockdev-3.3.0/debian/patches/series
--- libblockdev-3.3.0/debian/patches/series	2025-02-27 22:12:11.000000000 +0100
+++ libblockdev-3.3.0/debian/patches/series	2025-06-09 15:06:46.000000000 +0200
@@ -1 +1,2 @@
 Skip-smartmontools-integration-test.patch
+dont-allow-suid-and-dev-set-on-fs-resize.patch

--- End Message ---

--- Begin Message ---

To: 1107968-done@bugs.debian.org

Subject: unblock libblockdev

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Wed, 18 Jun 2025 10:34:06 +0000

Message-id: <E1uRq7K-005Mqy-1u@respighi.debian.org>
Unblocked libblockdev.
--- End Message ---

Reply to:

References:
- Bug#1107968: unblock: libblockdev/3.3.0-2.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1107726: marked as done (unblock: pytorch-cuda/2.6.0+dfsg-7+b1)
Next by Date: Bug#1107969: marked as done (unblock: udisks2/2.10.1-12.1)
Previous by thread: Processed: unblock: libblockdev/3.3.0-2.1
Next by thread: Bug#1107969: unblock: udisks2/2.10.1-12.1
Index(es):
- Date
- Thread