udisks2: Fix for CVE-2021-3802

Add patch to fix CVE-2021-3802

Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 64 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch
new file mode 100644
index 0000000000..0189833b49
--- /dev/null
+++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch
@@ -0,0 +1,63 @@
+From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu@debian.org>
+Date: Fri, 5 Nov 2021 09:29:13 +0100
+Subject: [PATCH] udisks2 security update
+
+mount options: Always use errors=remount-ro for ext filesystems
+
+Stefan Walter found that udisks2, a service to access and manipulate
+storage devices, could cause denial of service via system crash if a
+corrupted or specially crafted ext2/3/4 device or image was mounted,
+which could happen automatically on certain environments.
+
+For Debian 9 stretch, this problem has been fixed in version
+2.1.8-1+deb9u1.
+
+Default mount options are focused primarily on data safety, mounting
+damaged ext2/3/4 filesystem as readonly would indicate something's wrong.
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz]
+CVE: CVE-2021-3802
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c
+index a5a3898c..eac8cab3 100644
+--- a/src/udiskslinuxfilesystem.c
++++ b/src/udiskslinuxfilesystem.c
+@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", "
+ static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL };
+ static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL };
+ 
++/* ---------------------- ext2 -------------------- */
++
++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL };
++
++/* ---------------------- ext3 -------------------- */
++
++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL };
++
++/* ---------------------- ext4 -------------------- */
++
++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL };
++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL };
++
+ /* ------------------------------------------------ */
+ /* TODO: support context= */
+ 
+@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] =
+     { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self },
+     { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self },
+     { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self },
++    { "ext2", ext2_defaults, ext2_allow, NULL, NULL },
++    { "ext3", ext3_defaults, ext3_allow, NULL, NULL },
++    { "ext4", ext4_defaults, ext4_allow, NULL, NULL },
+   };
+ 
+ /* ------------------------------------------------ */
diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb
index c4d0fa75ee..58c8a9899a 100644
--- a/meta-oe/recipes-support/udisks/udisks2_git.bb
+++ b/meta-oe/recipes-support/udisks/udisks2_git.bb
@@ -18,6 +18,7 @@ RDEPENDS_${PN} = "acl"
 
 SRC_URI = " \
     git://github.com/storaged-project/udisks.git;branch=master;protocol=https \
+    file://CVE-2021-3802.patch \
 "
 PV = "2.8.4+git${SRCREV}"
 SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e"