From 4e7d34df0fc2751ac07d3f425f6480dcf5edf714 Mon Sep 17 00:00:00 2001 From: Virendra Thakur Date: Fri, 28 Jan 2022 15:54:11 +0530 Subject: udisks2: Fix for CVE-2021-3802 Add patch to fix CVE-2021-3802 Signed-off-by: Virendra Thakur Signed-off-by: Armin Kuster --- .../udisks/udisks2/CVE-2021-3802.patch | 63 ++++++++++++++++++++++ meta-oe/recipes-support/udisks/udisks2_git.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch (limited to 'meta-oe/recipes-support/udisks') diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch new file mode 100644 index 0000000000..0189833b49 --- /dev/null +++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch @@ -0,0 +1,63 @@ +From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort +Date: Fri, 5 Nov 2021 09:29:13 +0100 +Subject: [PATCH] udisks2 security update + +mount options: Always use errors=remount-ro for ext filesystems + +Stefan Walter found that udisks2, a service to access and manipulate +storage devices, could cause denial of service via system crash if a +corrupted or specially crafted ext2/3/4 device or image was mounted, +which could happen automatically on certain environments. + +For Debian 9 stretch, this problem has been fixed in version +2.1.8-1+deb9u1. + +Default mount options are focused primarily on data safety, mounting +damaged ext2/3/4 filesystem as readonly would indicate something's wrong. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz] +CVE: CVE-2021-3802 + +Signed-off-by: Virendra Thakur + +--- + src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c +index a5a3898c..eac8cab3 100644 +--- a/src/udiskslinuxfilesystem.c ++++ b/src/udiskslinuxfilesystem.c +@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", " + static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL }; + static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL }; + ++/* ---------------------- ext2 -------------------- */ ++ ++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext3 -------------------- */ ++ ++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext4 -------------------- */ ++ ++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL }; ++ + /* ------------------------------------------------ */ + /* TODO: support context= */ + +@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] = + { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self }, + { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self }, + { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self }, ++ { "ext2", ext2_defaults, ext2_allow, NULL, NULL }, ++ { "ext3", ext3_defaults, ext3_allow, NULL, NULL }, ++ { "ext4", ext4_defaults, ext4_allow, NULL, NULL }, + }; + + /* ------------------------------------------------ */ diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb index c4d0fa75ee..58c8a9899a 100644 --- a/meta-oe/recipes-support/udisks/udisks2_git.bb +++ b/meta-oe/recipes-support/udisks/udisks2_git.bb @@ -18,6 +18,7 @@ RDEPENDS_${PN} = "acl" SRC_URI = " \ git://github.com/storaged-project/udisks.git;branch=master;protocol=https \ + file://CVE-2021-3802.patch \ " PV = "2.8.4+git${SRCREV}" SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e" -- cgit 1.2.3-korg