From 0d8eb5d892cf8a59a977b411b6265f0f390d5f87 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Tue, 2 Sep 2025 18:21:19 +0200
Subject: [PATCH] * Tue Sep 02 2025 Tomas Bzatek <tbzatek@redhat.com> -
 2.10.90-6 - udiskslinuxmanager: Add lower bounds check to fd_index
 (CVE-2025-8067)

Resolves: RHEL-109406
---
 ...-2.10.91-manager_loopsetup_fd_bounds.patch | 29 +++++++++++++++++++
 udisks2.spec                                  |  7 ++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 udisks-2.10.91-manager_loopsetup_fd_bounds.patch

diff --git a/udisks-2.10.91-manager_loopsetup_fd_bounds.patch b/udisks-2.10.91-manager_loopsetup_fd_bounds.patch
new file mode 100644
index 0000000..f659e05
--- /dev/null
+++ b/udisks-2.10.91-manager_loopsetup_fd_bounds.patch
@@ -0,0 +1,29 @@
+From 55e36ef2af4fbfc92aab5cef50a69123e321f9f1 Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@canonical.com>
+Date: Tue, 15 Jul 2025 13:34:08 -0400
+Subject: [PATCH 1/1] udiskslinuxmanager: Add lower bounds check to fd_index
+
+Make sure fd_index isn't negative as this can lead to an OOB read
+resulting in a crash, or to exposing internal file descriptors.
+
+Reported by Michael Imfeld (born0monday).
+---
+ src/udiskslinuxmanager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c
+index 4e633284..887771ee 100644
+--- a/src/udiskslinuxmanager.c
++++ b/src/udiskslinuxmanager.c
+@@ -381,7 +381,7 @@ handle_loop_setup (UDisksManager          *object,
+     goto out;
+ 
+   fd_num = g_variant_get_handle (fd_index);
+-  if (fd_list == NULL || fd_num >= g_unix_fd_list_get_length (fd_list))
++  if (fd_list == NULL || fd_num < 0 || fd_num >= g_unix_fd_list_get_length (fd_list))
+     {
+       g_dbus_method_invocation_return_error (invocation,
+                                              UDISKS_ERROR,
+-- 
+2.43.0
+
diff --git a/udisks2.spec b/udisks2.spec
index c85d4e3..1168ac8 100644
--- a/udisks2.spec
+++ b/udisks2.spec
@@ -23,7 +23,7 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.10.90
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL-2.0-or-later
 URL:     https://github.com/storaged-project/udisks
 Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2
@@ -32,6 +32,8 @@ Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{v
 Patch0:  udisks-2.11.0-lvm2-unused_device_detection-try_harder.patch
 # https://issues.redhat.com/browse/RHEL-74012
 Patch1:  udisks-2.11.0-mdraid-inhibit-locks.patch
+# https://issues.redhat.com/browse/RHEL-109406
+Patch2:  udisks-2.10.91-manager_loopsetup_fd_bounds.patch
 
 BuildRequires: make
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -339,6 +341,9 @@ fi
 %endif
 
 %changelog
+* Tue Sep 02 2025 Tomas Bzatek <tbzatek@redhat.com> - 2.10.90-6
+- udiskslinuxmanager: Add lower bounds check to fd_index (CVE-2025-8067) (RHEL-109406)
+
 * Fri Jan 24 2025 Tomas Bzatek <tbzatek@redhat.com> - 2.10.90-5
 - mdraid: Avoid acquiring system inhibit lock for external array operations (RHEL-74012)