From 22261c4fc3ece3f3d74ef4ea37aacc87c38eaf3d Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 15 Dec 2025 11:53:26 +0100 Subject: [PATCH] RHEL-9.8: login-utils: fix setpwnam() buffer use [CVE-2025-14104] Resolves: RHEL-133956 --- ...x-setpwnam-buffer-use-CVE-2025-14104.patch | 50 +++++++++++++++++++ util-linux.spec | 8 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch diff --git a/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch new file mode 100644 index 0000000..8f7db0d --- /dev/null +++ b/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch @@ -0,0 +1,50 @@ +From f6783d9c7dc6ca75d24585325814a869299c6f56 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 8 Dec 2025 13:36:41 +0100 +Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104] + +This issue has been originally fixed in the master branch, but +unfortunately was not backported to stable/v2.41 yet. + +References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 +References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a +Signed-off-by: Karel Zak +(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30) +--- + login-utils/setpwnam.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde..7778e98f7 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; +@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; +-- +2.51.1 + diff --git a/util-linux.spec b/util-linux.spec index 7b0134b..7a84da1 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -2,7 +2,7 @@ Summary: A collection of basic system utilities Name: util-linux Version: 2.37.4 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: http://en.wikipedia.org/wiki/Util-linux @@ -248,6 +248,9 @@ Patch85: 0085-mount-improve-all-documentation.patch Patch86: 0086-libblkid-use-snprintf-instead-of-sprintf.patch # RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation Patch87: 0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch +# RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104] +Patch88: 0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch + %description The util-linux package contains a large variety of low-level system @@ -1082,6 +1085,9 @@ fi %{_libdir}/python*/site-packages/libmount/ %changelog +* Mon Dec 15 2025 Karel Zak 2.37.4-24 +- fix RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104] + * Mon Nov 10 2025 Karel Zak 2.37.4-23 - fix RHEL-123527 - mount: improve --all documentation - fix RHEL-123531 - libblkid: use snprintf() instead of sprintf()