From a0123dfe957dd705aab1dad7497e00f8d366b164 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 4 Feb 2026 20:00:34 +0000 Subject: [PATCH] import UBI util-linux-2.37.4-21.el9_7 --- ...lkid-use-snprintf-instead-of-sprintf.patch | 124 ++++++++++++++++++ ...x-setpwnam-buffer-use-CVE-2025-14104.patch | 50 +++++++ SPECS/util-linux.spec | 11 ++ 3 files changed, 185 insertions(+) create mode 100644 SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch create mode 100644 SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch diff --git a/SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch b/SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000..8f45cfe --- /dev/null +++ b/SOURCES/0083-libblkid-use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,124 @@ +From d76f66ad422850011370618e358da560479dabc1 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 6 Oct 2025 15:04:24 +0200 +Subject: libblkid: use snprintf() instead of sprintf() + +Replace sprintf() calls with snprintf() to ensure proper bounds +checking when formatting strings. + +In encode.c, the check now validates snprintf() return value instead +of pre-checking buffer size, providing more robust error handling. + +Addresses: https://issues.redhat.com/browse/RHEL-134269 +Signed-off-by: Karel Zak +--- + libblkid/src/devname.c | 16 +++++++++------- + libblkid/src/encode.c | 6 ++++-- + libblkid/src/save.c | 10 ++++++---- + 3 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c +index c541d30ba..a48a81a45 100644 +--- a/libblkid/src/devname.c ++++ b/libblkid/src/devname.c +@@ -164,7 +164,7 @@ static int is_dm_leaf(const char *devname) + strncmp(de->d_name, "dm-", 3) != 0 || + strlen(de->d_name) > sizeof(path)-32) + continue; +- sprintf(path, "/sys/block/%s/slaves", de->d_name); ++ snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name); + if ((d_dir = opendir(path)) == NULL) + continue; + while ((d_de = readdir(d_dir)) != NULL) { +@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new) + char *vdirname; + char *vg_name; + struct dirent *lv_iter; ++ size_t len; + + vg_name = vg_iter->d_name; + if (!strcmp(vg_name, ".") || !strcmp(vg_name, "..")) + continue; +- vdirname = malloc(vg_len + strlen(vg_name) + 8); ++ len = vg_len + strlen(vg_name) + 8; ++ vdirname = malloc(len); + if (!vdirname) + goto exit; +- sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name); ++ snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name); + + lv_list = opendir(vdirname); + free(vdirname); +@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new) + if (!strcmp(lv_name, ".") || !strcmp(lv_name, "..")) + continue; + +- lvm_device = malloc(vg_len + strlen(vg_name) + +- strlen(lv_name) + 8); ++ len = vg_len + strlen(vg_name) + strlen(lv_name) + 8; ++ lvm_device = malloc(len); + if (!lvm_device) { + closedir(lv_list); + goto exit; + } +- sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name, ++ snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name, + lv_name); + dev = lvm_get_devno(lvm_device); +- sprintf(lvm_device, "%s/%s", vg_name, lv_name); ++ snprintf(lvm_device, len, "%s/%s", vg_name, lv_name); + DBG(DEVNAME, ul_debug("Probe LVM dev %s: devno 0x%04X", + lvm_device, + (unsigned int) dev)); +diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c +index 9c2220428..d79865a76 100644 +--- a/libblkid/src/encode.c ++++ b/libblkid/src/encode.c +@@ -263,9 +263,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len) + j += seqlen; + i += (seqlen-1); + } else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) { +- if (len-j < 4) ++ int rc; ++ ++ rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]); ++ if (rc != 4) + goto err; +- sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]); + j += 4; + } else { + if (len-j < 1) +diff --git a/libblkid/src/save.c b/libblkid/src/save.c +index 9a342c69c..1a617c072 100644 +--- a/libblkid/src/save.c ++++ b/libblkid/src/save.c +@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache) + * a temporary file then we open it directly. + */ + if (ret == 0 && S_ISREG(st.st_mode)) { +- tmp = malloc(strlen(filename) + 8); ++ size_t len = strlen(filename) + 8; ++ tmp = malloc(len); + if (tmp) { +- sprintf(tmp, "%s-XXXXXX", filename); ++ snprintf(tmp, len, "%s-XXXXXX", filename); + fd = mkstemp_cloexec(tmp); + if (fd >= 0) { + if (fchmod(fd, 0644) != 0) +@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache) + DBG(SAVE, ul_debug("unlinked temp cache %s", opened)); + } else { + char *backup; ++ size_t len = strlen(filename) + 5; + +- backup = malloc(strlen(filename) + 5); ++ backup = malloc(len); + if (backup) { +- sprintf(backup, "%s.old", filename); ++ snprintf(backup, len, "%s.old", filename); + unlink(backup); + if (link(filename, backup)) { + DBG(SAVE, ul_debug("can't link %s to %s", +-- +2.51.1 + diff --git a/SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch new file mode 100644 index 0000000..0a83edf --- /dev/null +++ b/SOURCES/0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch @@ -0,0 +1,50 @@ +From b71c7321ca35aaced4ceb35db11c8629d236aa35 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 8 Dec 2025 13:36:41 +0100 +Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104] + +This issue has been originally fixed in the master branch, but +unfortunately was not backported to stable/v2.41 yet. + +References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 +References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a +Addresses: https://issues.redhat.com/browse/RHEL-133955 +Signed-off-by: Karel Zak +--- + login-utils/setpwnam.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde..7778e98f7 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; +@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; +-- +2.51.1 + diff --git a/SPECS/util-linux.spec b/SPECS/util-linux.spec index ddccaa5..4d3ae49 100644 --- a/SPECS/util-linux.spec +++ b/SPECS/util-linux.spec @@ -236,6 +236,13 @@ Patch81: 0081-lib-timeutils-parse_timestamp-fix-second-parsing.patch # RHEL-56983 - sulogin: fix POSIX locale use Patch82: 0082-sulogin-fix-POSIX-locale-use.patch +### RHEL-9.7.Z +# +# RHEL-134269 - libblkid: use snprintf() instead of sprintf() +Patch83: 0083-libblkid-use-snprintf-instead-of-sprintf.patch +# RHEL-133955 - login-utils: fix setpwnam() buffer use [CVE-2025-14104] +Patch84: 0084-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch + %description The util-linux package contains a large variety of low-level system @@ -1070,6 +1077,10 @@ fi %{_libdir}/python*/site-packages/libmount/ %changelog +* Wed Dec 17 2025 Karel Zak 2.37.4-21.el9_7 +- fix RHEL-134269 - libblkid: use snprintf() instead of sprintf() +- fix RHEL-133955 - login-utils: fix setpwnam() buffer use [CVE-2025-14104] + * Thu Jan 16 2025 Karel Zak 2.37.4-21 - fix RHEL-56354 - lib/timeutils: parse_timestamp: fix second parsing - fix RHEL-56983 - sulogin: fix POSIX locale use