Version in base suite: 2.9.4-4

Base version: udisks2_2.9.4-4
Target version: udisks2_2.9.4-4+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/udisks2/udisks2_2.9.4-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/u/udisks2/udisks2_2.9.4-4+deb12u1.dsc

 changelog                                                          |    7 +
 patches/series                                                     |    1 
 patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch |   46 ++++++++++
 3 files changed, 54 insertions(+)

diff -Nru udisks2-2.9.4/debian/changelog udisks2-2.9.4/debian/changelog
--- udisks2-2.9.4/debian/changelog	2022-12-07 16:02:25.000000000 +0000
+++ udisks2-2.9.4/debian/changelog	2025-06-09 14:32:21.000000000 +0000
@@ -1,3 +1,10 @@
+udisks2 (2.9.4-4+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * udiskslinuxfilesystemhelpers: Mount private mounts with 'nodev,nosuid'
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 09 Jun 2025 16:32:21 +0200
+
 udisks2 (2.9.4-4) unstable; urgency=medium
 
   * Update debian/watch.
diff -Nru udisks2-2.9.4/debian/patches/series udisks2-2.9.4/debian/patches/series
--- udisks2-2.9.4/debian/patches/series	2022-12-07 16:02:25.000000000 +0000
+++ udisks2-2.9.4/debian/patches/series	2025-06-09 14:32:05.000000000 +0000
@@ -1 +1,2 @@
 udiskslinuxmountoptions-do-not-free-static-daemon-resources.patch
+udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
diff -Nru udisks2-2.9.4/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch udisks2-2.9.4/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch
--- udisks2-2.9.4/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch	1970-01-01 00:00:00.000000000 +0000
+++ udisks2-2.9.4/debian/patches/udiskslinuxfilesystemhelpers-Mount-private-mounts-wi.patch	2025-06-09 14:32:21.000000000 +0000
@@ -0,0 +1,46 @@
+From 0007d5616f4dbc9ccd65b9094ffc18c6f776d06a Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem to handle corrupted filesystem. This is consistent
+with mount options calculation for regular mounts.
+---
+ src/udiskslinuxfilesystemhelpers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c
+index 7c5fc037..9eb7742c 100644
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
+ 
+ {
+   gchar *mountpoint = NULL;
++  const gchar *mount_opts;
+   GError *local_error = NULL;
+   gboolean unmount = FALSE;
+   gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
+               goto out;
+             }
+ 
++          mount_opts = "nodev,nosuid";
++          if (g_strcmp0 (fstype, "ext2") == 0 ||
++              g_strcmp0 (fstype, "ext3") == 0 ||
++              g_strcmp0 (fstype, "ext4") == 0 ||
++              g_strcmp0 (fstype, "jfs") == 0)
++            mount_opts = "nodev,nosuid,errors=remount-ro";
++
+           /* TODO: mount to a private mount namespace */
+-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error))
++          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error))
+             {
+               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+                            "Cannot mount %s at %s: %s",
+-- 
+2.49.0
+