CVE-2025-6019:
A Local Privilege Escalation (LPE) vulnerability was found in
libblockdev. Generally, the "allow_active" setting in Polkit permits a
physically present user to take certain actions based on the session
type. Due to the way libblockdev interacts with the udisks daemon, an
"allow_active" user on a system may be able escalate to full root
privileges on the target host. Normally, udisks mounts user-provided
filesystem images with security flags like nosuid and nodev to prevent
privilege escalation. However, a local attacker can create a specially
crafted XFS image containing a SUID-root shell, then trick udisks into
resizing it. This mounts their malicious filesystem with root
privileges, allowing them to execute their SUID-root shell and gain
complete control of the system.
Refer:
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
New minor release of the libblockdev library with multiple fixes. See below for details.
Full list of changes
Manuel Wassermann (1):
exec: Fix deprecated glib function call Glib will rename "g_spawn_check_exit_status()" to "g_spawn_check_wait_status()" in version 2.69.
Tomasz Paweł Gajc (1):
remove unused variable and fix build with LLVM/clang
Vojtech Trefny (22):
NEWS.rts: Fix markup
crypto: Fix default key size for non XTS ciphers
vdo: Do not use g_memdup in bd_vdo_stats_copy
fs: Allow using empty label for vfat with newest dosfstools
tests: Call fs_vfat_mkfs with "--mbr=n" extra option in tests
kbd: Fix memory leak
crypto: Fix memory leak
dm: Fix memory leak in the DM plugin and DM logging redirect function
fs: Fix memory leak
kbd: Fix memory leak
lvm-dbus: Fix memory leak
mdraid: Fix memory leak
swap: Fix memory leak
tests: Make sure the test temp mount is always unmounted
tests: Do not check that XFS shrink fails with xfsprogs >= 5.12
tests: Temporarily skip test_snapshotcreate_lvorigin_snapshotmerge
Fix skipping tests on Debian testing
crypto: Let cryptsetup autodect encryption sector size when not specified
tests: Do not try to remove VG before removing the VDO pool
tests: Force remove LVM VG /dev/ entry not removed by vgremove
tests: Tag LvmPVVGLVcachePoolCreateRemoveTestCase as unstable
Add missing plugins to the default config
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Fixes packaging with py 3.8
ERROR: libblockdev-2.23-r0 do_package: QA Issue: libblockdev: Files/directories were installed but not shipped in any package:
/usr/lib/python3.8
/usr/lib/python3.8/site-packages
/usr/lib/python3.8/site-packages/gi
/usr/lib/python3.8/site-packages/gi/overrides
/usr/lib/python3.8/site-packages/gi/overrides/BlockDev.py
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The python2 PACKAGECONFIG was added during an upgrade, defaulting to
be disabled. The RDEPENDS part should be 'python' instead 'python2'
because there's no python2 recipe.
Also, we don't need to inherit some python classes. We just need to specify
FILES variable. After this change, the python2 and python3 PACKAGECONFIG
items could correctly work.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since commit `6cc057d libblockdev: make various features optional' applied,
it introduced issues:
1. As configure.ac told us, mpath/dm/lvm/lvm-dbus should have the
same depends, runtime depends
[configure.ac]
|AS_IF([test "x$with_dm" != "xno" -o "x$with_lvm" != "xno" -o "x$with_lvm_dbus" != "xno" -o "x$with_mpath" != "xno"],
| [LIBBLOCKDEV_PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.93])],
| [])
[configure.ac]
2. Remove duplicated PACKAGECONFIG tags `lvm-dbus'
3. Remove `lvm-dbus' from PACKAGECONFIG since recipe lvm2 does not support dbus
4. Align with previous configure options, we should add `mpath'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Currently, recipe lvm2 does not support dbus very well, so add
PACKAGECONFIG lvm-dbus for libblockdev and disable it by default.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since upgrading libblockdev to 2.18, these patches are
useless, remove them.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It only makes sense to rdepend on lvm2 if lvm is enabled by the
configuration and the nss and volume-key dependencies are only needed
if --with-escrow is configured. These dependencies are quite big so
it's good to have a way to disable them.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
I gave my best to rework patches:
* 0005-fix-a-clang-compiling-issue.patch: This was a bit challenging.
Because of I do not use clang I cannot test and confirm that no new breakers
were introduced.
* 0004-fix-compile-failure-against-musl-C-library.patch: Just tested to apply
properly.
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changqing Li
Khem Raj
Hongxu Jia
Richard Purdie
wangmy
Martin Jansa
Oleksandr Kravchuk
Andreas Müller
Qi.Chen@windriver.com
Max Kellermann
Ioan-Adrian Ratiu