Change History (6)
comment:1 by , 8 months ago
comment:2 by , 8 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 8 months ago
There are no specific release notes but a diff to the previous version is at https://github.com/storaged-project/libblockdev/compare/3.3.0...3.3.1
comment:4 by , 8 months ago
Note: Looking at the changes, there is really only one line of code changed to add some (important) constants to a mount command.
comment:5 by , 8 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commits
5c6885e21b Update to abseil-cpp-20250512.1. 4b6909a980 Update to nghttp2-1.66.0. 09901ba110 Update to adwaita-icon-theme-48.1. f2356387f7 Update to enchant-2.8.9. 2b6ab4efe1 Update to libblockdev-3.3.1 (Security release).
Note:
See TracTickets
for help on using tickets.
For further reading for CVE-2025-6019: https://www.openwall.com/lists/oss-security/2025/06/17/4
The link above documents two CVEs. 2025-6018 is for the SUSE variants and is exploited via a PAM misconfiguration can exploit 6019 via sshd. Think of 6018 as the entry point, it gives way to 6019 which exploits the PAM misconfiguration or another exploit, which is the bulk of the issue.
With 6019, an attacker who can be a physical user who hijacked a physical session, or one who exploits 6018 via sshd, can then have root privileges via udisks. Typically, LPEs from any physical unprivileged users are preferred to then have root privileges. The reason why this case is different is that if a vulnerability like 6018 can be exploited, basically an attacker via sshd can gain privileges they shouldn't have and won't be limited to physical-only. Other vulnerabilities that are also out there at the moment require that these privileges be exploited. Updating to libblockdev-3.3.1 will shut down those possibilities.
Furthermore, the link at the top of this comment links to another link here: https://u1f383.github.io/linux/2025/05/25/dbus-and-polkit-introduction.html. It explains how using the "Abuse Rule Limitations" trick via Polkit and D-Bus allows for abusing the above exploit via sshd.
The CVE has been reserved and the details beyond the writeup above are not documented on CVE sites. I do not know the rating as of yet. Some say it's critical. In my mind, it's high, above medium but not critical. It requires sshd to pull off or have two people physically being in the same room. And the attacker has to find a situation where 6018 is present. I do not know if we have the issue SUSE variants had. We should be careful nonetheless. If someone wants to promote it to critical, by all means. But I'm keeping it at high.