Bug 29568 - udisks2 new security issue CVE-2021-3802
Summary: udisks2 new security issue CVE-2021-3802
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-20 17:17 CEST by David Walser
Modified: 2023-03-24 10:22 CET (History)
6 users (show)

See Also:
Source RPM: udisks2-2.9.1-4.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-10-20 17:17:50 CEST
Fedora has issued an advisory on October 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFN63AIWFGOO4DOWC75YMCPQ4EXSNDHG/

The issue is fixed upstream in 2.9.4.
David Walser 2021-10-20 17:18:00 CEST

Status comment: (none) => Fixed upstream in 2.9.4

Comment 1 Lewis Smith 2021-10-20 18:49:37 CEST
We already (just) have 2.9.4 in Cauldron.
Assigning this to Thierry who effectively maintains 'udisks2'.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Lécureuil 2021-11-24 18:42:40 CET
2.9.4 is a bugfix release only.

src:
    - udisks2-2.9.4-1.mga8

Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia, thierry.vignaud
Status comment: Fixed upstream in 2.9.4 => (none)

Comment 3 David Walser 2021-11-25 00:46:10 CET
Build failed:
http://pkgsubmit.mageia.org/uploads/failure/8/core/updates_testing/20211124174111.neoclust.duvel.1094616/log/udisks2-2.9.4-1.mga8/build.x86_64.0.20211124174149.log

Status comment: (none) => Fixed upstream in 2.9.4
Assignee: qa-bugs => mageia

Comment 4 Nicolas Lécureuil 2021-11-25 12:36:18 CET
src:
    - udisks2-2.9.4-1.mga8
    - libblockdev-2.26-1.mga8
Nicolas Lécureuil 2021-11-25 12:47:54 CET

Status comment: Fixed upstream in 2.9.4 => (none)
Assignee: mageia => qa-bugs

Comment 5 David Walser 2021-11-25 15:55:08 CET
RPMS:
libblockdev2-2.26-1.mga8
python3-blockdev-2.26-1.mga8
libbd_lvm-dbus2-2.26-1.mga8
libblockdev-gir2.0-2.26-1.mga8
libbd_lvm2-2.26-1.mga8
libbd_fs2-2.26-1.mga8
libbd_utils2-2.26-1.mga8
libblockdev-devel-2.26-1.mga8
libbd_crypto2-2.26-1.mga8
libbd_part2-2.26-1.mga8
libbd_kbd2-2.26-1.mga8
libbd_mdraid2-2.26-1.mga8
libbd_vdo2-2.26-1.mga8
libbd_nvdimm2-2.26-1.mga8
libbd_btrfs2-2.26-1.mga8
libbd_dm2-2.26-1.mga8
libbd_swap2-2.26-1.mga8
libbd_mpath2-2.26-1.mga8
libblockdev-tools-2.26-1.mga8
libbd_lvm-dbus-devel-2.26-1.mga8
libbd_lvm-devel-2.26-1.mga8
libbd_loop2-2.26-1.mga8
libbd_crypto-devel-2.26-1.mga8
libbd_fs-devel-2.26-1.mga8
libbd_part-devel-2.26-1.mga8
libbd_utils-devel-2.26-1.mga8
libbd_vdo-devel-2.26-1.mga8
libbd_mdraid-devel-2.26-1.mga8
libbd_kbd-devel-2.26-1.mga8
libbd_btrfs-devel-2.26-1.mga8
libbd_nvdimm-devel-2.26-1.mga8
libbd_dm-devel-2.26-1.mga8
libbd_swap-devel-2.26-1.mga8
libbd_loop-devel-2.26-1.mga8
libbd_mpath-devel-2.26-1.mga8
libblockdev-plugins-all-2.26-1.mga8
udisks2-2.9.4-1.mga8
libudisks2_0-2.9.4-1.mga8
libudisks-gir2.0-2.9.4-1.mga8
udisks2-lvm2-2.9.4-1.mga8
udisks2-lsm-2.9.4-1.mga8
udisks2-zram-2.9.4-1.mga8
udisks2-btrfs-2.9.4-1.mga8
udisks2-bcache-2.9.4-1.mga8
libudisks2-devel-2.9.4-1.mga8

from SRPMS:
libblockdev-2.26-1.mga8.src.rpm
udisks2-2.9.4-1.mga8.src.rpm
Comment 6 Thomas Andrews 2021-11-27 01:00:17 CET
i5-2500, Intel graphics, MGA8-64 Plasma system, using the 5.15.4 server kernel.

The following 10 packages are going to be installed:

- lib64bd_crypto2-2.26-1.mga8.x86_64
- lib64bd_fs2-2.26-1.mga8.x86_64
- lib64bd_loop2-2.26-1.mga8.x86_64
- lib64bd_mdraid2-2.26-1.mga8.x86_64
- lib64bd_part2-2.26-1.mga8.x86_64
- lib64bd_swap2-2.26-1.mga8.x86_64
- lib64bd_utils2-2.26-1.mga8.x86_64
- lib64blockdev2-2.26-1.mga8.x86_64
- lib64udisks2_0-2.9.4-1.mga8.x86_64
- udisks2-2.9.4-1.mga8.x86_64

No installation issues.

A previous update was found in Bug 12983, for Mageias 3 and 4. The test used that time was to successfully automount a usb stick. I was able to automount and "safely remove" a usb 3.0 external hard drive, and a usb2.0 stick, with no regressions.

In addition, urpmq shows that udisks2 is required by Isodumper. Isodumper was able to detect that there was no usb stick inserted when it was run, and when the stick was inserted after. It was also able to detect if the stick was removed.

It appears to be working as designed. Giving it an OK, and validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-01 22:49:07 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-12-02 17:50:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0529.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 Paul Dupont 2023-03-24 10:22:51 CET Comment hidden (spam)

CC: (none) => pauldupont1120


Note You need to log in before you can comment on or make changes to this bug.