RHEL-9.8: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
Resolves: RHEL-133956
This commit is contained in:
Karel Zak
parent
21a3a82356
commit
22261c4fc3
@ -0,0 +1,50 @@
|
||||
From f6783d9c7dc6ca75d24585325814a869299c6f56 Mon Sep 17 00:00:00 2001
|
||||
From: Karel Zak <kzak@redhat.com>
|
||||
Date: Mon, 8 Dec 2025 13:36:41 +0100
|
||||
Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||||
|
||||
This issue has been originally fixed in the master branch, but
|
||||
unfortunately was not backported to stable/v2.41 yet.
|
||||
|
||||
References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
|
||||
References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
|
||||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||
(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
|
||||
---
|
||||
login-utils/setpwnam.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
|
||||
index 3e3c1abde..7778e98f7 100644
|
||||
--- a/login-utils/setpwnam.c
|
||||
+++ b/login-utils/setpwnam.c
|
||||
@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||||
goto fail;
|
||||
|
||||
namelen = strlen(pwd->pw_name);
|
||||
-
|
||||
+ if (namelen > buflen)
|
||||
+ buflen += namelen;
|
||||
linebuf = malloc(buflen);
|
||||
if (!linebuf)
|
||||
goto fail;
|
||||
@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||||
}
|
||||
|
||||
/* Is this the username we were sent to change? */
|
||||
- if (!found && linebuf[namelen] == ':' &&
|
||||
- !strncmp(linebuf, pwd->pw_name, namelen)) {
|
||||
- /* Yes! So go forth in the name of the Lord and
|
||||
- * change it! */
|
||||
+ if (!found &&
|
||||
+ strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
|
||||
+ strlen(linebuf) > namelen &&
|
||||
+ linebuf[namelen] == ':') {
|
||||
+ /* Yes! But this time let’s not walk past the end of the buffer
|
||||
+ * in the name of the Lord, SUID, or anything else. */
|
||||
if (putpwent(pwd, fp) < 0)
|
||||
goto fail;
|
||||
found = 1;
|
||||
--
|
||||
2.51.1
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
Summary: A collection of basic system utilities
|
||||
Name: util-linux
|
||||
Version: 2.37.4
|
||||
Release: 23%{?dist}
|
||||
Release: 24%{?dist}
|
||||
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
|
||||
URL: http://en.wikipedia.org/wiki/Util-linux
|
||||
|
||||
@ -248,6 +248,9 @@ Patch85: 0085-mount-improve-all-documentation.patch
|
||||
Patch86: 0086-libblkid-use-snprintf-instead-of-sprintf.patch
|
||||
# RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
|
||||
Patch87: 0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
|
||||
# RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||||
Patch88: 0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
|
||||
|
||||
|
||||
%description
|
||||
The util-linux package contains a large variety of low-level system
|
||||
@ -1082,6 +1085,9 @@ fi
|
||||
%{_libdir}/python*/site-packages/libmount/
|
||||
|
||||
%changelog
|
||||
* Mon Dec 15 2025 Karel Zak <kzak@redhat.com> 2.37.4-24
|
||||
- fix RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||||
|
||||
* Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.37.4-23
|
||||
- fix RHEL-123527 - mount: improve --all documentation
|
||||
- fix RHEL-123531 - libblkid: use snprintf() instead of sprintf()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user