import UBI util-linux-2.37.4-21.el9_7

2026-02-04 20:00:34 +00:00 · 2026-02-04 20:00:34 +00:00 · a0123dfe95
commit a0123dfe95
parent e206f54e8d
3 changed files with 185 additions and 0 deletions
--- a/SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch
+++ b/SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch
@ -0,0 +1,124 @@
+From d76f66ad422850011370618e358da560479dabc1 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 6 Oct 2025 15:04:24 +0200
+Subject: libblkid: use snprintf() instead of sprintf()
+
+Replace sprintf() calls with snprintf() to ensure proper bounds
+checking when formatting strings.
+
+In encode.c, the check now validates snprintf() return value instead
+of pre-checking buffer size, providing more robust error handling.
+
+Addresses: https://issues.redhat.com/browse/RHEL-134269
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/devname.c | 16 +++++++++-------
+ libblkid/src/encode.c  |  6 ++++--
+ libblkid/src/save.c    | 10 ++++++----
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
+index c541d30ba..a48a81a45 100644
+--- a/libblkid/src/devname.c
+++ b/libblkid/src/devname.c
+@@ -164,7 +164,7 @@ static int is_dm_leaf(const char *devname)
+ 		    strncmp(de->d_name, "dm-", 3) != 0 ||
+ 		    strlen(de->d_name) > sizeof(path)-32)
+ 			continue;
+-		sprintf(path, "/sys/block/%s/slaves", de->d_name);
+		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
+ 		if ((d_dir = opendir(path)) == NULL)
+ 			continue;
+ 		while ((d_de = readdir(d_dir)) != NULL) {
+@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 		char		*vdirname;
+ 		char		*vg_name;
+ 		struct dirent	*lv_iter;
+		size_t		len;
+ 
+ 		vg_name = vg_iter->d_name;
+ 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
+ 			continue;
+-		vdirname = malloc(vg_len + strlen(vg_name) + 8);
+		len = vg_len + strlen(vg_name) + 8;
+		vdirname = malloc(len);
+ 		if (!vdirname)
+ 			goto exit;
+-		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
+		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
+ 
+ 		lv_list = opendir(vdirname);
+ 		free(vdirname);
+@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
+ 				continue;
+ 
+-			lvm_device = malloc(vg_len + strlen(vg_name) +
+-					    strlen(lv_name) + 8);
+			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
+			lvm_device = malloc(len);
+ 			if (!lvm_device) {
+ 				closedir(lv_list);
+ 				goto exit;
+ 			}
+-			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
+			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
+ 				lv_name);
+ 			dev = lvm_get_devno(lvm_device);
+-			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
+			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
+ 			DBG(DEVNAME, ul_debug("Probe LVM dev %s: devno 0x%04X",
+ 						  lvm_device,
+ 						  (unsigned int) dev));
+diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
+index 9c2220428..d79865a76 100644
+--- a/libblkid/src/encode.c
+++ b/libblkid/src/encode.c
+@@ -263,9 +263,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
+ 			j += seqlen;
+ 			i += (seqlen-1);
+ 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
+-			if (len-j < 4)
+			int rc;
+
+			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
+			if (rc != 4)
+ 				goto err;
+-			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
+ 			j += 4;
+ 		} else {
+ 			if (len-j < 1)
+diff --git a/libblkid/src/save.c b/libblkid/src/save.c
+index 9a342c69c..1a617c072 100644
+--- a/libblkid/src/save.c
+++ b/libblkid/src/save.c
+@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
+ 	 * a temporary file then we open it directly.
+ 	 */
+ 	if (ret == 0 && S_ISREG(st.st_mode)) {
+-		tmp = malloc(strlen(filename) + 8);
+		size_t len = strlen(filename) + 8;
+		tmp = malloc(len);
+ 		if (tmp) {
+-			sprintf(tmp, "%s-XXXXXX", filename);
+			snprintf(tmp, len, "%s-XXXXXX", filename);
+ 			fd = mkstemp_cloexec(tmp);
+ 			if (fd >= 0) {
+ 				if (fchmod(fd, 0644) != 0)
+@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
+ 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
+ 		} else {
+ 			char *backup;
+			size_t len = strlen(filename) + 5;
+ 
+-			backup = malloc(strlen(filename) + 5);
+			backup = malloc(len);
+ 			if (backup) {
+-				sprintf(backup, "%s.old", filename);
+				snprintf(backup, len, "%s.old", filename);
+ 				unlink(backup);
+ 				if (link(filename, backup)) {
+ 					DBG(SAVE, ul_debug("can't link %s to %s",
+-- 
+2.51.1
+
--- a/SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+++ b/SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@ -0,0 +1,50 @@
+From b71c7321ca35aaced4ceb35db11c8629d236aa35 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 8 Dec 2025 13:36:41 +0100
+Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+This issue has been originally fixed in the master branch, but
+unfortunately was not backported to stable/v2.41 yet.
+
+References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
+References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
+Addresses: https://issues.redhat.com/browse/RHEL-133955
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ login-utils/setpwnam.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..7778e98f7 100644
+--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
+	if (namelen > buflen)
+		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
+		if (!found &&
+		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
+		    strlen(linebuf) > namelen &&
+		    linebuf[namelen] == ':') {
+			/* Yes! But this time let’s not walk past the end of the buffer
+			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
+-- 
+2.51.1
+
--- a/SPECS/util-linux.spec
+++ b/SPECS/util-linux.spec
@ -236,6 +236,13 @@ Patch81: 0081-lib-timeutils-parse_timestamp-fix-second-parsing.patch
 # RHEL-56983 - sulogin: fix POSIX locale use
 Patch82: 0082-sulogin-fix-POSIX-locale-use.patch

+### RHEL-9.7.Z
+#
+# RHEL-134269 - libblkid: use snprintf() instead of sprintf()
+Patch83: 0083-libblkid-use-snprintf-instead-of-sprintf.patch
+# RHEL-133955 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+Patch84: 0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+

 %description
 The util-linux package contains a large variety of low-level system
@ -1070,6 +1077,10 @@ fi
 %{_libdir}/python*/site-packages/libmount/

 %changelog
+* Wed Dec 17 2025 Karel Zak <kzak@redhat.com> 2.37.4-21.el9_7
+- fix RHEL-134269 - libblkid: use snprintf() instead of sprintf()
+- fix RHEL-133955 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
 * Thu Jan 16 2025 Karel Zak <kzak@redhat.com> 2.37.4-21
 - fix RHEL-56354 - lib/timeutils: parse_timestamp: fix second parsing
 - fix RHEL-56983 - sulogin: fix POSIX locale use