From a9d564ea67957eaa85513acca99e8cf76cfec53f Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 30 Mar 2026 11:11:19 -0400
Subject: [PATCH] import CS util-linux-2.37.4-25.el9

---
 .../0083-lscpu-update-ARM-identifiers.patch   |  85 +++++++++++
 ..._raid-backport-checksum-verification.patch | 123 ++++++++++++++++
 ...0085-mount-improve-all-documentation.patch |  41 ++++++
 ...lkid-use-snprintf-instead-of-sprintf.patch | 132 ++++++++++++++++++
 ...-off-by-one-in-maximum-last-sector-c.patch |  46 ++++++
 ...x-setpwnam-buffer-use-CVE-2025-14104.patch |  50 +++++++
 SOURCES/util-linux-uuidd-sysusers.conf        |   1 +
 SPECS/util-linux.spec                         |  45 +++++-
 8 files changed, 517 insertions(+), 6 deletions(-)
 create mode 100644 SOURCES/0083-lscpu-update-ARM-identifiers.patch
 create mode 100644 SOURCES/0084-libblkid-jmicron_raid-backport-checksum-verification.patch
 create mode 100644 SOURCES/0085-mount-improve-all-documentation.patch
 create mode 100644 SOURCES/0086-libblkid-use-snprintf-instead-of-sprintf.patch
 create mode 100644 SOURCES/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
 create mode 100644 SOURCES/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
 create mode 100644 SOURCES/util-linux-uuidd-sysusers.conf

diff --git a/SOURCES/0083-lscpu-update-ARM-identifiers.patch b/SOURCES/0083-lscpu-update-ARM-identifiers.patch
new file mode 100644
index 0000000..0b26022
--- /dev/null
+++ b/SOURCES/0083-lscpu-update-ARM-identifiers.patch
@@ -0,0 +1,85 @@
+From 8b55d28ed7671faf627f7614b1cd48724bd02932 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 13 Oct 2025 12:01:52 +0200
+Subject: lscpu: update ARM identifiers
+
+Addresses: https://issues.redhat.com/browse/RHEL-113638
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ sys-utils/lscpu-arm.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c
+index 5716f6c51..ac2ff191e 100644
+--- a/sys-utils/lscpu-arm.c
++++ b/sys-utils/lscpu-arm.c
+@@ -102,6 +102,14 @@ static const struct id_part arm_part[] = {
+     { 0xd80, "Cortex-A520" },
+     { 0xd81, "Cortex-A720" },
+     { 0xd82, "Cortex-X4" },
++    { 0xd83, "Neoverse-V3AE" },
++    { 0xd84, "Neoverse-V3" },
++    { 0xd85, "Cortex-X925" },
++    { 0xd87, "Cortex-A725" },
++    { 0xd88, "Cortex-A520AE" },
++    { 0xd89, "Cortex-A720AE" },
++    { 0xd8e, "Neoverse-N3" },
++    { 0xd8f, "Cortex-A320" },
+     { -1, "unknown" },
+ };
+ 
+@@ -171,6 +179,7 @@ static const struct id_part nvidia_part[] = {
+     { 0x000, "Denver" },
+     { 0x003, "Denver 2" },
+     { 0x004, "Carmel" },
++    { 0x010, "Olympus" },
+     { -1, "unknown" },
+ };
+ 
+@@ -254,12 +263,15 @@ static const struct id_part intel_part[] = {
+ 
+ static const struct id_part fujitsu_part[] = {
+     { 0x001, "A64FX" },
++    { 0x003, "MONAKA" },
+     { -1, "unknown" },
+ };
+ 
+ static const struct id_part hisi_part[] = {
+-    { 0xd01, "Kunpeng-920" },	/* aka tsv110 */
++    { 0xd01, "TaiShan-v110" },	/* used in Kunpeng-920 SoC */
++    { 0xd02, "TaiShan-v120" },	/* used in Kirin 990A and 9000S SoCs */
+     { 0xd40, "Cortex-A76" },	/* HiSilicon uses this ID though advertises A76 */
++    { 0xd41, "Cortex-A77" },	/* HiSilicon uses this ID though advertises A77 */
+     { -1, "unknown" },
+ };
+ 
+@@ -270,10 +282,18 @@ static const struct id_part ampere_part[] = {
+ };
+ 
+ static const struct id_part ft_part[] = {
++    { 0x303, "FTC310" },
+     { 0x660, "FTC660" },
+     { 0x661, "FTC661" },
+     { 0x662, "FTC662" },
+     { 0x663, "FTC663" },
++    { 0x664, "FTC664" },
++    { 0x862, "FTC862" },
++    { -1, "unknown" },
++};
++
++static const struct id_part ms_part[] = {
++    { 0xd49, "Azure-Cobalt-100" },
+     { -1, "unknown" },
+ };
+ 
+@@ -304,6 +324,7 @@ static const struct hw_impl hw_implementer[] = {
+     { 0x61, apple_part,   "Apple" },
+     { 0x66, faraday_part, "Faraday" },
+     { 0x69, intel_part,   "Intel" },
++    { 0x6d, ms_part,      "Microsoft" },
+     { 0x70, ft_part,      "Phytium" },
+     { 0xc0, ampere_part,  "Ampere" },
+     { -1,   unknown_part, "unknown" },
+-- 
+2.51.0
+
diff --git a/SOURCES/0084-libblkid-jmicron_raid-backport-checksum-verification.patch b/SOURCES/0084-libblkid-jmicron_raid-backport-checksum-verification.patch
new file mode 100644
index 0000000..a1ef5e0
--- /dev/null
+++ b/SOURCES/0084-libblkid-jmicron_raid-backport-checksum-verification.patch
@@ -0,0 +1,123 @@
+From c5c47008f240ba96c4f3b676349b64cd22eadb14 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 13 Oct 2025 13:21:27 +0200
+Subject: libblkid: (jmicron_raid) backport checksum verification
+
+Backported from RHEL-10. The original code produces false positives.
+
+Addresses: https://issues.redhat.com/browse/RHEL-108386
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/superblocks/jmicron_raid.c | 74 ++++++++++++++++++++-----
+ 1 file changed, 61 insertions(+), 13 deletions(-)
+
+diff --git a/libblkid/src/superblocks/jmicron_raid.c b/libblkid/src/superblocks/jmicron_raid.c
+index ca7986733..4587075ca 100644
+--- a/libblkid/src/superblocks/jmicron_raid.c
++++ b/libblkid/src/superblocks/jmicron_raid.c
+@@ -16,23 +16,65 @@
+ 
+ #include "superblocks.h"
+ 
+-struct jm_metadata {
+-	int8_t		signature[2];
+-	uint8_t		minor_version;
+-	uint8_t		major_version;
+-	uint16_t	checksum;
+-};
+-
+ #define JM_SIGNATURE		"JM"
++#define JM_MINOR_VERSION(_x)	(le16_to_cpu((_x)->version) & 0xFF)
++#define JM_MAJOR_VERSION(_x)	(le16_to_cpu((_x)->version) >> 8)
++#define JM_SPARES		2
++#define JM_MEMBERS		8
++
++struct jm_metadata {
++	int8_t		signature[2];	/* 0x0 - 0x01 */
++
++	uint16_t	version;	/* 0x03 - 0x04 JMicron version */
++
++	uint16_t	checksum;	/* 0x04 - 0x05 */
++	uint8_t		filler[10];
++
++	uint32_t	identity;	/* 0x10 - 0x13 */
++
++	struct {
++		uint32_t	base;	/* 0x14 - 0x17 */
++		uint32_t	range;	/* 0x18 - 0x1B range */
++		uint16_t	range2;	/* 0x1C - 0x1D range2 */
++	} segment;
++
++	int8_t		name[16];	/* 0x20 - 0x2F */
++
++	uint8_t		mode;		/* 0x30 RAID level */
++	uint8_t		block;		/* 0x31 stride size (2=4K, 3=8K, ...) */
++	uint16_t	attribute;	/* 0x32 - 0x33 */
++	uint8_t		filler1[4];
++
++	uint32_t	spare[JM_SPARES];	/* 0x38 - 0x3F */
++	uint32_t	member[JM_MEMBERS];	/* 0x40 - 0x5F */
++
++	uint8_t		filler2[0x20];
++} __attribute__ ((packed));
++
++static int jm_checksum(blkid_probe pr, const struct jm_metadata *jm)
++{
++	size_t count = sizeof(*jm) / sizeof(uint16_t);
++	uint16_t sum = 0;
++	unsigned char *ptr = (unsigned char *) jm;
++
++	while (count--) {
++		uint16_t val;
++
++		memcpy(&val, ptr, sizeof(uint16_t));
++		sum += le16_to_cpu(val);
++
++		ptr += sizeof(uint16_t);
++	}
++
++	return blkid_probe_verify_csum(pr, sum == 0 || sum == 1, 1);
++}
+ 
+ static int probe_jmraid(blkid_probe pr,
+ 		const struct blkid_idmag *mag __attribute__((__unused__)))
+ {
+ 	uint64_t off;
+-	struct jm_metadata *jm;
++	const struct jm_metadata *jm;
+ 
+-	if (pr->size < 0x10000)
+-		return 1;
+ 	if (!S_ISREG(pr->mode) && !blkid_probe_is_wholedisk(pr))
+ 		return 1;
+ 
+@@ -46,8 +88,15 @@ static int probe_jmraid(blkid_probe pr,
+ 
+ 	if (memcmp(jm->signature, JM_SIGNATURE, sizeof(JM_SIGNATURE) - 1) != 0)
+ 		return 1;
++
++	if (!jm_checksum(pr, jm))
++		return 1;
++
++	if (jm->mode > 5)
++		return 1;
++
+ 	if (blkid_probe_sprintf_version(pr, "%u.%u",
+-				jm->major_version, jm->minor_version) != 0)
++			JM_MAJOR_VERSION(jm), JM_MINOR_VERSION(jm)) != 0)
+ 		return 1;
+ 	if (blkid_probe_set_magic(pr, off, sizeof(jm->signature),
+ 				(unsigned char *) jm->signature))
+@@ -58,8 +107,7 @@ static int probe_jmraid(blkid_probe pr,
+ const struct blkid_idinfo jmraid_idinfo = {
+ 	.name		= "jmicron_raid_member",
+ 	.usage		= BLKID_USAGE_RAID,
++	.minsz		= 0x10000,
+ 	.probefunc	= probe_jmraid,
+ 	.magics		= BLKID_NONE_MAGIC
+ };
+-
+-
+-- 
+2.51.0
+
diff --git a/SOURCES/0085-mount-improve-all-documentation.patch b/SOURCES/0085-mount-improve-all-documentation.patch
new file mode 100644
index 0000000..087fc8c
--- /dev/null
+++ b/SOURCES/0085-mount-improve-all-documentation.patch
@@ -0,0 +1,41 @@
+From b9dcdb44a709d4ac285779bb80598b344fb99ac2 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 22 Oct 2025 10:49:23 +0200
+Subject: mount: improve --all documentation
+
+Add notes to the --all option description:
+- Historical context: mount -a was originally designed for init scripts
+- Modern usage: systemd-based distributions use systemd units instead
+- Swap handling: swap entries in fstab are silently ignored, use swapon -a
+
+Addresses: https://issues.redhat.com/browse/RHEL-123527
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ sys-utils/mount.8.adoc | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc
+index 6e72d48c4..66ea7f61f 100644
+--- a/sys-utils/mount.8.adoc
++++ b/sys-utils/mount.8.adoc
+@@ -299,12 +299,16 @@ The *mount* command does not pass all command-line options to the **/sbin/mount.
+ Command-line options available for the *mount* command are:
+ 
+ *-a*, *--all*::
+-Mount all filesystems (of the given types) mentioned in _fstab_ (except for those whose line contains the *noauto* keyword). The filesystems are mounted following their order in _fstab_. The *mount* command compares filesystem source, target (and fs root for bind mount or btrfs) to detect already mounted filesystems. The kernel table with already mounted filesystems is cached during *mount --all*. This means that all duplicated _fstab_ entries will be mounted.
++Mount all filesystems (of the given types) mentioned in _fstab_ (except for those whose line contains the *noauto* keyword). This option was originally designed for use in init scripts. Note that many modern systemd-based distributions do not use *mount -a* on boot and instead mount filesystems in a more sophisticated way using systemd units.
+++
++The filesystems are mounted following their order in _fstab_. The *mount* command compares filesystem source, target (and fs root for bind mount or btrfs) to detect already mounted filesystems. The kernel table with already mounted filesystems is cached during *mount --all*. This means that all duplicated _fstab_ entries will be mounted.
+ +
+ The option *--all* is possible to use for remount operation too. In this case all filters (*-t* and *-O*) are applied to the table of already mounted filesystems.
+ +
+ Since version 2.35 is possible to use the command line option *-o* to alter mount options from _fstab_ (see also *--options-mode*).
+ +
++Note that swap entries in _fstab_ are silently ignored by *mount -a*. Use *swapon -a* to enable swap devices and files. See *swapon*(8).
+++
+ Note that it is a bad practice to use *mount -a* for _fstab_ checking. The recommended solution is *findmnt --verify*.
+ 
+ *-B*, *--bind*::
+-- 
+2.51.1
+
diff --git a/SOURCES/0086-libblkid-use-snprintf-instead-of-sprintf.patch b/SOURCES/0086-libblkid-use-snprintf-instead-of-sprintf.patch
new file mode 100644
index 0000000..2987d49
--- /dev/null
+++ b/SOURCES/0086-libblkid-use-snprintf-instead-of-sprintf.patch
@@ -0,0 +1,132 @@
+From ffcd2a314076d7e0df92d851480c313a823573a7 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 10 Nov 2025 10:37:09 +0100
+Subject: libblkid: use snprintf() instead of sprintf()
+
+Replace sprintf() calls with snprintf() to ensure proper bounds
+checking when formatting strings.
+
+In encode.c, the check now validates snprintf() return value instead
+of pre-checking buffer size, providing more robust error handling.
+
+In save.c, snprintf() is used with size_t len variables to track
+buffer sizes for temporary and backup filename creation.
+
+In devname.c, snprintf() is used for both fixed-size buffers (with
+sizeof()) and dynamically allocated buffers (with size_t len
+variables).
+
+Addresses: https://issues.redhat.com/browse/RHEL-123531
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/devname.c | 16 +++++++++-------
+ libblkid/src/encode.c  |  6 ++++--
+ libblkid/src/save.c    | 10 ++++++----
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
+index c541d30ba..a48a81a45 100644
+--- a/libblkid/src/devname.c
++++ b/libblkid/src/devname.c
+@@ -164,7 +164,7 @@ static int is_dm_leaf(const char *devname)
+ 		    strncmp(de->d_name, "dm-", 3) != 0 ||
+ 		    strlen(de->d_name) > sizeof(path)-32)
+ 			continue;
+-		sprintf(path, "/sys/block/%s/slaves", de->d_name);
++		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
+ 		if ((d_dir = opendir(path)) == NULL)
+ 			continue;
+ 		while ((d_de = readdir(d_dir)) != NULL) {
+@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 		char		*vdirname;
+ 		char		*vg_name;
+ 		struct dirent	*lv_iter;
++		size_t		len;
+ 
+ 		vg_name = vg_iter->d_name;
+ 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
+ 			continue;
+-		vdirname = malloc(vg_len + strlen(vg_name) + 8);
++		len = vg_len + strlen(vg_name) + 8;
++		vdirname = malloc(len);
+ 		if (!vdirname)
+ 			goto exit;
+-		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
++		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
+ 
+ 		lv_list = opendir(vdirname);
+ 		free(vdirname);
+@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
+ 				continue;
+ 
+-			lvm_device = malloc(vg_len + strlen(vg_name) +
+-					    strlen(lv_name) + 8);
++			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
++			lvm_device = malloc(len);
+ 			if (!lvm_device) {
+ 				closedir(lv_list);
+ 				goto exit;
+ 			}
+-			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
++			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
+ 				lv_name);
+ 			dev = lvm_get_devno(lvm_device);
+-			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
++			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
+ 			DBG(DEVNAME, ul_debug("Probe LVM dev %s: devno 0x%04X",
+ 						  lvm_device,
+ 						  (unsigned int) dev));
+diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
+index 9c2220428..d79865a76 100644
+--- a/libblkid/src/encode.c
++++ b/libblkid/src/encode.c
+@@ -263,9 +263,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
+ 			j += seqlen;
+ 			i += (seqlen-1);
+ 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
+-			if (len-j < 4)
++			int rc;
++
++			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
++			if (rc != 4)
+ 				goto err;
+-			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
+ 			j += 4;
+ 		} else {
+ 			if (len-j < 1)
+diff --git a/libblkid/src/save.c b/libblkid/src/save.c
+index 9a342c69c..1a617c072 100644
+--- a/libblkid/src/save.c
++++ b/libblkid/src/save.c
+@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
+ 	 * a temporary file then we open it directly.
+ 	 */
+ 	if (ret == 0 && S_ISREG(st.st_mode)) {
+-		tmp = malloc(strlen(filename) + 8);
++		size_t len = strlen(filename) + 8;
++		tmp = malloc(len);
+ 		if (tmp) {
+-			sprintf(tmp, "%s-XXXXXX", filename);
++			snprintf(tmp, len, "%s-XXXXXX", filename);
+ 			fd = mkstemp_cloexec(tmp);
+ 			if (fd >= 0) {
+ 				if (fchmod(fd, 0644) != 0)
+@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
+ 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
+ 		} else {
+ 			char *backup;
++			size_t len = strlen(filename) + 5;
+ 
+-			backup = malloc(strlen(filename) + 5);
++			backup = malloc(len);
+ 			if (backup) {
+-				sprintf(backup, "%s.old", filename);
++				snprintf(backup, len, "%s.old", filename);
+ 				unlink(backup);
+ 				if (link(filename, backup)) {
+ 					DBG(SAVE, ul_debug("can't link %s to %s",
+-- 
+2.51.1
+
diff --git a/SOURCES/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch b/SOURCES/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
new file mode 100644
index 0000000..0f27c4e
--- /dev/null
+++ b/SOURCES/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
@@ -0,0 +1,46 @@
+From d1ae8502f423420320b0a7d2656a3a0cc41f2416 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 30 Oct 2025 12:11:43 +0100
+Subject: libfdisk: (dos) fix off-by-one in maximum last sector calculation
+
+The get_disk_ranges() function incorrectly capped the last usable
+sector at UINT_MAX, which could cause an overflow when calculating
+partition size for MBR partition tables.
+
+MBR stores partition size as a 32-bit value with maximum UINT_MAX.
+The partition size is calculated as: size = stop - start + 1
+
+For a partition starting at sector 0:
+- If stop = UINT_MAX: size = UINT_MAX + 1 (overflow!)
+- If stop = UINT_MAX - 1: size = UINT_MAX (correct maximum)
+
+This fixes the inconsistency where dos_init() correctly warns about
+disks larger than UINT_MAX sectors (2TiB - 512 bytes for 512-byte
+sectors), but get_disk_ranges() allowed creating partitions that
+would overflow the 32-bit size field.
+
+Addresses: https://issues.redhat.com/browse/RHEL-123536
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 578923fe582903628ecc0d2a434af0affa3660d2)
+---
+ libfdisk/src/dos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libfdisk/src/dos.c b/libfdisk/src/dos.c
+index 5d93e09b8..e6e0e757c 100644
+--- a/libfdisk/src/dos.c
++++ b/libfdisk/src/dos.c
+@@ -1145,8 +1145,8 @@ static int get_disk_ranges(struct fdisk_context *cxt, int logical,
+ 		else
+ 			*last = cxt->total_sectors - 1;
+ 
+-		if (*last > UINT_MAX)
+-			*last = UINT_MAX;
++		if (*last >= UINT_MAX)
++			*last = UINT_MAX - 1;
+ 		*first = cxt->first_lba;
+ 	}
+ 
+-- 
+2.51.1
+
diff --git a/SOURCES/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/SOURCES/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
new file mode 100644
index 0000000..8f7db0d
--- /dev/null
+++ b/SOURCES/0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@@ -0,0 +1,50 @@
+From f6783d9c7dc6ca75d24585325814a869299c6f56 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 8 Dec 2025 13:36:41 +0100
+Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+This issue has been originally fixed in the master branch, but
+unfortunately was not backported to stable/v2.41 yet.
+
+References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
+References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
+---
+ login-utils/setpwnam.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..7778e98f7 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
+-- 
+2.51.1
+
diff --git a/SOURCES/util-linux-uuidd-sysusers.conf b/SOURCES/util-linux-uuidd-sysusers.conf
new file mode 100644
index 0000000..afd02eb
--- /dev/null
+++ b/SOURCES/util-linux-uuidd-sysusers.conf
@@ -0,0 +1 @@
+u uuidd - "UUID generator helper daemon" /var/lib/libuuid
diff --git a/SPECS/util-linux.spec b/SPECS/util-linux.spec
index ddccaa5..9cd213f 100644
--- a/SPECS/util-linux.spec
+++ b/SPECS/util-linux.spec
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.37.4
-Release: 21%{?dist}
+Release: 25%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 URL: http://en.wikipedia.org/wiki/Util-linux
 
@@ -28,6 +28,7 @@ BuildRequires: popt-devel
 BuildRequires: libutempter-devel
 Buildrequires: systemd-devel
 BuildRequires: systemd
+BuildRequires: systemd-rpm-macros
 Buildrequires: libuser-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: %{pypkg}-devel
@@ -37,6 +38,7 @@ BuildRequires: rubygem-asciidoctor
 %ifarch ppc64le
 BuildRequires: librtas-devel
 %endif
+%{?sysusers_requires_compat}
 
 # enable if make changes to build-system
 #BuildRequires: autoconf
@@ -55,6 +57,7 @@ Source12: util-linux-su.pamd
 Source13: util-linux-su-l.pamd
 Source14: util-linux-runuser.pamd
 Source15: util-linux-runuser-l.pamd
+Source16: util-linux-uuidd-sysusers.conf
 
 ### Obsoletes & Conflicts & Provides
 Conflicts: initscripts < 9.79-4
@@ -236,6 +239,21 @@ Patch81: 0081-lib-timeutils-parse_timestamp-fix-second-parsing.patch
 # RHEL-56983 - sulogin: fix POSIX locale use
 Patch82: 0082-sulogin-fix-POSIX-locale-use.patch
 
+### RHEL-9.8
+#
+# RHEL-113638 - lscpu: update ARM identifiers
+Patch83: 0083-lscpu-update-ARM-identifiers.patch
+# RHEL-108386 - libblkid: (jmicron_raid) backport checksum verification
+Patch84: 0084-libblkid-jmicron_raid-backport-checksum-verification.patch
+# RHEL-123527 - mount: improve --all documentation
+Patch85: 0085-mount-improve-all-documentation.patch
+# RHEL-123531 - libblkid: use snprintf() instead of sprintf()
+Patch86: 0086-libblkid-use-snprintf-instead-of-sprintf.patch
+# RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
+Patch87: 0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
+# RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+Patch88: 0088-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+
 
 %description
 The util-linux package contains a large variety of low-level system
@@ -489,6 +507,8 @@ install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/uuidd.conf
 install -d ${RPM_BUILD_ROOT}/run/uuidd
 install -d ${RPM_BUILD_ROOT}/var/lib/libuuid
 
+install -m 644 -D %{SOURCE16} %{buildroot}%{_sysusersdir}/uuidd-sysusers.conf
+
 # /etc/adjtime
 install -m 644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_sysconfdir}/adjtime
 
@@ -590,11 +610,8 @@ for I in /etc/blkid.tab /etc/blkid.tab.old \
 done
 
 %pre -n uuidd
-getent group uuidd >/dev/null || groupadd -r uuidd
-getent passwd uuidd >/dev/null || \
-useradd -r -g uuidd -d /var/lib/libuuid -s /sbin/nologin \
-    -c "UUID generator helper daemon" uuidd
-exit 0
+%sysusers_create_compat %{SOURCE16}
+
 
 # Please, keep uuidd running after installation! Note that systemd_post is
 # "systemctl preset" and it enable/disable service only.
@@ -995,6 +1012,7 @@ fi
 %dir %attr(2775, uuidd, uuidd) /run/uuidd
 %{compldir}/uuidd
 %{_tmpfilesdir}/uuidd.conf
+%{_sysusersdir}/uuidd-sysusers.conf
 
 
 %files -n libfdisk
@@ -1070,6 +1088,21 @@ fi
 %{_libdir}/python*/site-packages/libmount/
 
 %changelog
+* Mon Jan 19 2026 Karel Zak <kzak@redhat.com> 2.37.4-25
+- fix RHEL-132706 - use sysusers.d for uuidd
+
+* Mon Dec 15 2025 Karel Zak <kzak@redhat.com> 2.37.4-24
+- fix RHEL-133956 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+* Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.37.4-23
+- fix RHEL-123527 - mount: improve --all documentation
+- fix RHEL-123531 - libblkid: use snprintf() instead of sprintf()
+- fix RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
+
+* Mon Oct 13 2025 Karel Zak <kzak@redhat.com> 2.37.4-22
+- fix RHEL-113638 - lscpu: update ARM identifiers
+- fix RHEL-108386 - libblkid: (jmicron_raid) backport checksum verification
+
 * Thu Jan 16 2025 Karel Zak <kzak@redhat.com> 2.37.4-21
 - fix RHEL-56354 - lib/timeutils: parse_timestamp: fix second parsing
 - fix RHEL-56983 - sulogin: fix POSIX locale use