udisks2: Fix CVE-2025-6019 (#417763)

Aleksanaa · web-flow · commit 32b3eddb9315 · 2025-06-18T17:03:44.000+08:00
diff --git a/pkgs/by-name/li/libblockdev/package.nix b/pkgs/by-name/li/libblockdev/package.nix
@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   autoreconfHook,
   pkg-config,
   gtk-doc,
@@ -44,6 +45,14 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Q7610i+2PQi+Oza3c2SwPneljrb+1cuFA4K4DQTpt8A=";
   };
 
+  patches = [
+    # CVE-2025-6019: https://www.openwall.com/lists/oss-security/2025/06/17/5
+    (fetchpatch {
+      url = "https://github.com/storaged-project/libblockdev/commit/4e35eb93e4d2672686789b9705623cc4f9f85d02.patch";
+      hash = "sha256-3pQxvbFX6jmT5LCaePoVfvPTNPoTPPhT0GcLaGkVVso=";
+    })
+  ];
+
   outputs = [
     "out"
     "dev"
diff --git a/pkgs/os-specific/linux/udisks/2-default.nix b/pkgs/os-specific/linux/udisks/2-default.nix
@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   replaceVars,
   pkg-config,
   gnused,
@@ -79,6 +80,13 @@ stdenv.mkDerivation rec {
         util-linux
       ];
     })
+
+    # CVE-2025-6019: https://www.openwall.com/lists/oss-security/2025/06/17/5
+    (fetchpatch {
+      name = "CVE-2025-6019-2.patch";
+      url = "https://www.openwall.com/lists/oss-security/2025/06/17/5/2";
+      hash = "sha256-pgTA6yxQ1o9OU3qBeV1lh2O6mBkaUcc9md4uwFwz+AM=";
+    })
   ];
 
   strictDeps = true;
