The Qualys team discovered [a] LPE vulnerability in libblockdev, trivially exploitable via the udisks daemon, which is installed by default on most Linux distributions: an "allow_active" user (e.g., a physical user, or an attacker who hijacked the session of a physical user) can obtain the full privileges of the root user [1]. [1] https://www.openwall.com/lists/oss-security/2025/06/17/4 Reproducible: Always Actual Results: LPE Expected Results: Disallow LPE. Additional Information: Proposed patches for both udisks and libblockdev [1]. [1] https://www.openwall.com/lists/oss-security/2025/06/17/5
FYI, the udisks patch was shared privately just for consideration, both the CVEs linked don't describe this udisks vulnerability at all. It's similar, but a slightly different case. Since this has gone public already, we'll take it as a regular patch upstream.
FEDORA-2025-6ef0c40f95 (udisks2-2.10.90-3.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-6ef0c40f95
FEDORA-2025-6ef0c40f95 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-6ef0c40f95` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-6ef0c40f95 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-6ef0c40f95 (udisks2-2.10.90-3.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.