From b7756fbd1d47172fe8f104688b6d7cd4aa4794c9 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 15 Dec 2025 12:31:26 +0100
Subject: [PATCH] RHEL-8.10.Z: setpwnam() and snprintf()

Resolves: RHEL-133946 RHEL-134296
---
 ...lkid-use-snprintf-instead-of-sprintf.patch | 132 ++++++++++++++++++
 ...x-setpwnam-buffer-use-CVE-2025-14104.patch |  50 +++++++
 util-linux.spec                               |  10 +-
 3 files changed, 191 insertions(+), 1 deletion(-)
 create mode 100644 0106-libblkid-use-snprintf-instead-of-sprintf.patch
 create mode 100644 0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch

diff --git a/0106-libblkid-use-snprintf-instead-of-sprintf.patch b/0106-libblkid-use-snprintf-instead-of-sprintf.patch
new file mode 100644
index 0000000..8252ad1
--- /dev/null
+++ b/0106-libblkid-use-snprintf-instead-of-sprintf.patch
@@ -0,0 +1,132 @@
+From 6155468eb3039299b1a6bd2ce9f43d5fb1c5e1a5 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 10 Nov 2025 10:37:09 +0100
+Subject: libblkid: use snprintf() instead of sprintf()
+
+Replace sprintf() calls with snprintf() to ensure proper bounds
+checking when formatting strings.
+
+In encode.c, the check now validates snprintf() return value instead
+of pre-checking buffer size, providing more robust error handling.
+
+In save.c, snprintf() is used with size_t len variables to track
+buffer sizes for temporary and backup filename creation.
+
+In devname.c, snprintf() is used for both fixed-size buffers (with
+sizeof()) and dynamically allocated buffers (with size_t len
+variables).
+
+Addresses: https://issues.redhat.com/browse/RHEL-123531
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/devname.c | 16 +++++++++-------
+ libblkid/src/encode.c  |  6 ++++--
+ libblkid/src/save.c    | 10 ++++++----
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
+index 59029ec06..56459ebd0 100644
+--- a/libblkid/src/devname.c
++++ b/libblkid/src/devname.c
+@@ -163,7 +163,7 @@ static int is_dm_leaf(const char *devname)
+ 		    strncmp(de->d_name, "dm-", 3) ||
+ 		    strlen(de->d_name) > sizeof(path)-32)
+ 			continue;
+-		sprintf(path, "/sys/block/%s/slaves", de->d_name);
++		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
+ 		if ((d_dir = opendir(path)) == NULL)
+ 			continue;
+ 		while ((d_de = readdir(d_dir)) != NULL) {
+@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 		char		*vdirname;
+ 		char		*vg_name;
+ 		struct dirent	*lv_iter;
++		size_t		len;
+ 
+ 		vg_name = vg_iter->d_name;
+ 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
+ 			continue;
+-		vdirname = malloc(vg_len + strlen(vg_name) + 8);
++		len = vg_len + strlen(vg_name) + 8;
++		vdirname = malloc(len);
+ 		if (!vdirname)
+ 			goto exit;
+-		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
++		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
+ 
+ 		lv_list = opendir(vdirname);
+ 		free(vdirname);
+@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
+ 				continue;
+ 
+-			lvm_device = malloc(vg_len + strlen(vg_name) +
+-					    strlen(lv_name) + 8);
++			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
++			lvm_device = malloc(len);
+ 			if (!lvm_device) {
+ 				closedir(lv_list);
+ 				goto exit;
+ 			}
+-			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
++			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
+ 				lv_name);
+ 			dev = lvm_get_devno(lvm_device);
+-			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
++			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
+ 			DBG(DEVNAME, ul_debug("LVM dev %s: devno 0x%04X",
+ 						  lvm_device,
+ 						  (unsigned int) dev));
+diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
+index 33d349127..855ea8057 100644
+--- a/libblkid/src/encode.c
++++ b/libblkid/src/encode.c
+@@ -315,9 +315,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
+ 			j += seqlen;
+ 			i += (seqlen-1);
+ 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
+-			if (len-j < 4)
++			int rc;
++
++			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
++			if (rc != 4)
+ 				goto err;
+-			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
+ 			j += 4;
+ 		} else {
+ 			if (len-j < 1)
+diff --git a/libblkid/src/save.c b/libblkid/src/save.c
+index 21308a9cf..f21ae6d41 100644
+--- a/libblkid/src/save.c
++++ b/libblkid/src/save.c
+@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
+ 	 * a temporary file then we open it directly.
+ 	 */
+ 	if (ret == 0 && S_ISREG(st.st_mode)) {
+-		tmp = malloc(strlen(filename) + 8);
++		size_t len = strlen(filename) + 8;
++		tmp = malloc(len);
+ 		if (tmp) {
+-			sprintf(tmp, "%s-XXXXXX", filename);
++			snprintf(tmp, len, "%s-XXXXXX", filename);
+ 			fd = mkstemp_cloexec(tmp);
+ 			if (fd >= 0) {
+ 				if (fchmod(fd, 0644) != 0)
+@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
+ 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
+ 		} else {
+ 			char *backup;
++			size_t len = strlen(filename) + 5;
+ 
+-			backup = malloc(strlen(filename) + 5);
++			backup = malloc(len);
+ 			if (backup) {
+-				sprintf(backup, "%s.old", filename);
++				snprintf(backup, len, "%s.old", filename);
+ 				unlink(backup);
+ 				if (link(filename, backup)) {
+ 					DBG(SAVE, ul_debug("can't link %s to %s",
+-- 
+2.51.1
+
diff --git a/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
new file mode 100644
index 0000000..7d81d77
--- /dev/null
+++ b/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@@ -0,0 +1,50 @@
+From 680184cb5d3aeb0c92b6dea8056b0c9c0f57e7f6 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 8 Dec 2025 13:36:41 +0100
+Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+This issue has been originally fixed in the master branch, but
+unfortunately was not backported to stable/v2.41 yet.
+
+References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
+References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
+---
+ login-utils/setpwnam.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 0616c7923..07940eff0 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+@@ -128,10 +129,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = true;
+-- 
+2.51.1
+
diff --git a/util-linux.spec b/util-linux.spec
index c51a266..faa91af 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.32.1
-Release: 47%{?dist}
+Release: 48%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: http://en.wikipedia.org/wiki/Util-linux
@@ -306,6 +306,10 @@ Patch103: 0103-libblkid-probe-fix-size-and-offset-overflows-fuzzing.patch
 Patch104: 0104-timeutils-match-today-day-and-this-year-correctly.patch
 # RHEL-117686 - lslogins: use sd_journal_get_data() in proper way
 Patch105: 0105-lslogins-use-sd_journal_get_data-in-proper-way.patch
+# RHEL-134296 - libblkid: use snprintf() instead of sprintf()
+Patch106: 0106-libblkid-use-snprintf-instead-of-sprintf.patch
+# RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+Patch107: 0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
 
 
 %description
@@ -1155,6 +1159,10 @@ fi
 %{_libdir}/python*/site-packages/libmount/
 
 %changelog
+* Mon Dec 15 2025 Karel Zak <kzak@redhat.com> 2.32.1-48
+- fix RHEL-134296 - libblkid: use snprintf() instead of sprintf()
+- fix RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
 * Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.32.1-47
 - fix RHEL-117686 - lslogins: use sd_journal_get_data() in proper way