From 265db3cf68fd497376e25425858b4243251e9e94 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 2 Feb 2026 11:19:55 +0000
Subject: [PATCH] import UBI util-linux-2.40.2-15.el10_1

---
 ...lkid-use-snprintf-instead-of-sprintf.patch | 59 +++++++++++++++++++
 ...x-setpwnam-buffer-use-CVE-2025-14104.patch | 51 ++++++++++++++++
 util-linux.spec                               | 18 +++++-
 3 files changed, 125 insertions(+), 3 deletions(-)
 create mode 100644 0012-libblkid-use-snprintf-instead-of-sprintf.patch
 create mode 100644 0013-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch

diff --git a/0012-libblkid-use-snprintf-instead-of-sprintf.patch b/0012-libblkid-use-snprintf-instead-of-sprintf.patch
new file mode 100644
index 0000000..89236ea
--- /dev/null
+++ b/0012-libblkid-use-snprintf-instead-of-sprintf.patch
@@ -0,0 +1,59 @@
+From c5bc4b1595300aecf2e140bdce8e97c2bde57786 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 6 Oct 2025 15:04:24 +0200
+Subject: libblkid: use snprintf() instead of sprintf()
+
+Replace sprintf() calls with snprintf() to ensure proper bounds
+checking when formatting strings.
+
+In encode.c, the check now validates snprintf() return value instead
+of pre-checking buffer size, providing more robust error handling.
+
+In probe.c, snprintf() is used with proper size calculation based on
+remaining buffer space.
+
+Addresses: https://issues.redhat.com/browse/RHEL-134271
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit e00af23ce51151a5a2e7b207dbe8d1bc715e4bd1)
+---
+ libblkid/src/encode.c | 6 ++++--
+ libblkid/src/probe.c  | 4 ++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
+index 8213873ee..4b83f6690 100644
+--- a/libblkid/src/encode.c
++++ b/libblkid/src/encode.c
+@@ -191,9 +191,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
+ 			j += seqlen;
+ 			i += (seqlen-1);
+ 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
+-			if (len-j < 4)
++			int rc;
++
++			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
++			if (rc != 4)
+ 				goto err;
+-			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
+ 			j += 4;
+ 		} else {
+ 			if (len-j < 1)
+diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c
+index 76905e197..cd45bcdf7 100644
+--- a/libblkid/src/probe.c
++++ b/libblkid/src/probe.c
+@@ -1972,8 +1972,8 @@ static void blkid_probe_log_csum_mismatch(blkid_probe pr, size_t n, const void *
+ 	int hex_size = min(sizeof(csum_hex), n * 2);
+ 
+ 	for (int i = 0; i < hex_size; i+=2) {
+-		sprintf(&csum_hex[i], "%02X", ((const unsigned char *) csum)[i / 2]);
+-		sprintf(&expected_hex[i], "%02X", ((const unsigned char *) expected)[i / 2]);
++		snprintf(&csum_hex[i], sizeof(csum_hex) - i, "%02X", ((const unsigned char *) csum)[i / 2]);
++		snprintf(&expected_hex[i], sizeof(expected_hex) - i, "%02X", ((const unsigned char *) expected)[i / 2]);
+ 	}
+ 
+ 	ul_debug(
+-- 
+2.51.1
+
diff --git a/0013-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/0013-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
new file mode 100644
index 0000000..7c0def1
--- /dev/null
+++ b/0013-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@@ -0,0 +1,51 @@
+From 903975206ebb1524205c966d5eb7eca9e6b68ed5 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 8 Dec 2025 13:36:41 +0100
+Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+This issue has been originally fixed in the master branch, but
+unfortunately was not backported to stable/v2.41 yet.
+
+References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
+References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
+Addresses: https://issues.redhat.com/browse/RHEL-133942
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit c84b027a5552b89a1bdbabed1faea7b1583efd1b)
+---
+ login-utils/setpwnam.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..7778e98f7 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
+-- 
+2.51.1
+
diff --git a/util-linux.spec b/util-linux.spec
index 7e7f2d2..e8464ca 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 13;
+    release_number = 15;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -102,8 +102,7 @@ Requires: libfdisk = %{version}-%{release}
 Requires: util-linux-core = %{version}-%{release}
 
 ### RHEL-10.0
-###
-
+#
 # 151635 - makeing /var/log/lastlog
 Patch0: 0000-login-lastlog-create.patch
 # Add `/run/motd.d` to the hardcoded MOTD_FILE
@@ -127,6 +126,13 @@ Patch9: 0009-docs-add-European-Public-License-v1.2.patch
 Patch10: 0010-lscpu-Add-FUJITSU-aarch64-MONAKA-cpupart.patch
 Patch11: 0011-lscpu-New-Arm-part-numbers.patch
 
+### RHEL-10.1.Z
+#
+# RHEL-134271 - libblkid: use snprintf() instead of sprintf()
+Patch12: 0012-libblkid-use-snprintf-instead-of-sprintf.patch
+# RHEL-133942 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+Patch13: 0013-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+
 
 %description
 The util-linux package contains a large variety of low-level system
@@ -988,6 +994,12 @@ fi
 
 %changelog
 ## START: Generated by rpmautospec
+* Mon Jan 26 2026 Karel Zak <kzak@redhat.com> - 2.40.2-15
+- libblkid: use snprintf() instead of sprintf()
+
+* Tue Dec 16 2025 Karel Zak <kzak@redhat.com> - 2.40.2-14
+- Fix setpwnam() buffer use [CVE-2025-14104]
+
 * Wed Jul 30 2025 Karel Zak <kzak@redhat.com> - 2.40.2-13
 - lscpu: update table with ARM IDs