The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An "allow_active" user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.
Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'.
https://security-tracker.debian.org/tracker/DSA-5943-1
Continue reading...
Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with 'nodev,nosuid'.
https://security-tracker.debian.org/tracker/DSA-5943-1
Continue reading...
