* Tue Sep 02 2025 Tomas Bzatek <tbzatek@redhat.com> - 2.9.4-12

- udiskslinuxmanager: Add lower bounds check to fd_index (CVE-2025-8067) Resolves: RHEL-109413
2025-09-02 17:23:07 +02:00 · 2025-09-02 17:23:07 +02:00 · ceddd09321
commit ceddd09321
parent a49c9510f6
2 changed files with 36 additions and 1 deletions
--- a/udisks-2.10.91-manager_loopsetup_fd_bounds.patch
+++ b/udisks-2.10.91-manager_loopsetup_fd_bounds.patch
@ -0,0 +1,29 @@
+From 55e36ef2af4fbfc92aab5cef50a69123e321f9f1 Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@canonical.com>
+Date: Tue, 15 Jul 2025 13:34:08 -0400
+Subject: [PATCH 1/1] udiskslinuxmanager: Add lower bounds check to fd_index
+
+Make sure fd_index isn't negative as this can lead to an OOB read
+resulting in a crash, or to exposing internal file descriptors.
+
+Reported by Michael Imfeld (born0monday).
+---
+ src/udiskslinuxmanager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c
+index 4e633284..887771ee 100644
+--- a/src/udiskslinuxmanager.c
+++ b/src/udiskslinuxmanager.c
+@@ -381,7 +381,7 @@ handle_loop_setup (UDisksManager          *object,
+     goto out;
+ 
+   fd_num = g_variant_get_handle (fd_index);
+-  if (fd_list == NULL || fd_num >= g_unix_fd_list_get_length (fd_list))
+  if (fd_list == NULL || fd_num < 0 || fd_num >= g_unix_fd_list_get_length (fd_list))
+     {
+       g_dbus_method_invocation_return_error (invocation,
+                                              UDISKS_ERROR,
+-- 
+2.43.0
+
--- a/udisks2.spec
+++ b/udisks2.spec
@ -48,7 +48,7 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.9.4
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 URL:     https://github.com/storaged-project/udisks
 Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2
@ -90,6 +90,9 @@ Patch22: udisks-2.11.0-targetcli_config_attr_fix.patch
 # https://issues.redhat.com/browse/RHEL-8031
 Patch23: udisks-2.11.0-lvm2_refactor_wipe.patch
 Patch24: udisks-2.11.0-BLKRRPART-harder.patch
+# https://issues.redhat.com/browse/RHEL-109413
+Patch25: udisks-2.10.91-manager_loopsetup_fd_bounds.patch
+

 BuildRequires: make
 BuildRequires: glib2-devel >= %{glib2_version}
@ -465,6 +468,9 @@ fi
 %endif

 %changelog
+* Tue Sep 02 2025 Tomas Bzatek <tbzatek@redhat.com> - 2.9.4-12
+- udiskslinuxmanager: Add lower bounds check to fd_index (CVE-2025-8067) (RHEL-109413)
+
 * Wed May 15 2024 Tomas Bzatek <tbzatek@redhat.com> - 2.9.4-11
 - udiskslinuxblockobject: Try issuing BLKRRPART ioctl harder
 - lvm2: Refactor udisks_daemon_util_lvm2_wipe_block()