From facef6f5e785af7773ad7c0b36be7e34083f7b50 Mon Sep 17 00:00:00 2001
From: qhw01063182 <qhw01063182@alibaba-inc.com>
Date: Fri, 20 Jun 2025 16:06:38 +0800
Subject: [PATCH] Fix CVE-2025-6019

Signed-off-by: qhw01063182 <qhw01063182@alibaba-inc.com>
---
 ...unt_private_mounts_with_nodev_nosuid.patch | 43 +++++++++++++++++++
 udisks2.spec                                  |  6 ++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 udisks-2.11.0-udiskslinuxfilesystemhelpers-Mount_private_mounts_with_nodev_nosuid.patch

diff --git a/udisks-2.11.0-udiskslinuxfilesystemhelpers-Mount_private_mounts_with_nodev_nosuid.patch b/udisks-2.11.0-udiskslinuxfilesystemhelpers-Mount_private_mounts_with_nodev_nosuid.patch
new file mode 100644
index 0000000..d6b0f9a
--- /dev/null
+++ b/udisks-2.11.0-udiskslinuxfilesystemhelpers-Mount_private_mounts_with_nodev_nosuid.patch
@@ -0,0 +1,43 @@
+From 5e7277debea926370e587408517560afe87d28c9 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem types to handle an corrupted filesystem. This is
+consistent with mount options calculation for regular mounts.
+---
+ src/udiskslinuxfilesystemhelpers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c
+index 7c5fc037c4..9eb7742c77 100644
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
+ 
+ {
+   gchar *mountpoint = NULL;
++  const gchar *mount_opts;
+   GError *local_error = NULL;
+   gboolean unmount = FALSE;
+   gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
+               goto out;
+             }
+ 
++          mount_opts = "nodev,nosuid";
++          if (g_strcmp0 (fstype, "ext2") == 0 ||
++              g_strcmp0 (fstype, "ext3") == 0 ||
++              g_strcmp0 (fstype, "ext4") == 0 ||
++              g_strcmp0 (fstype, "jfs") == 0)
++            mount_opts = "nodev,nosuid,errors=remount-ro";
++
+           /* TODO: mount to a private mount namespace */
+-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error))
++          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error))
+             {
+               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+                            "Cannot mount %s at %s: %s",
diff --git a/udisks2.spec b/udisks2.spec
index 709e839..ed1a288 100644
--- a/udisks2.spec
+++ b/udisks2.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.2
+%define anolis_release .0.3
 %global glib2_version                   2.36
 %global gobject_introspection_version   1.30.0
 %global polkit_version                  0.102
@@ -109,6 +109,7 @@ Patch37: udisks-2.10.0-iscsi-ibft-chap-auth.patch
 
 Patch1000: 18030-0001-get-utf8-block-label.patch
 Patch1001: 18030-0002-udisksclients-add-utf8-string-check.patch
+Patch1002: udisks-2.11.0-udiskslinuxfilesystemhelpers-Mount_private_mounts_with_nodev_nosuid.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@@ -548,6 +549,9 @@ fi
 %doc README.md AUTHORS NEWS HACKING
 
 %changelog
+* Fri Jun 20 2025 Hong Wei Qin <qhw01063182@alibaba-inc.com> - 2.9.0-16.0.3
+- Fix CVE-2025-6019
+
 * Mon Jul 15 2024 Liwei Ge <liwei.glw@alibaba-inc.com> - 2.9.0-16.0.2
 - return a nicer UTF-8 string
 - Add UTF-8 check for udisksclient
-- 
Gitee