Fix heap buffer overread in setpwnam() [CVE-2025-14104]
Resolves: RHEL-133943
This commit is contained in:
Karel Zak
parent
c2ee14017e
commit
bde27314c0
@ -0,0 +1,50 @@
|
||||
From c84b027a5552b89a1bdbabed1faea7b1583efd1b Mon Sep 17 00:00:00 2001
|
||||
From: Karel Zak <kzak@redhat.com>
|
||||
Date: Mon, 8 Dec 2025 13:36:41 +0100
|
||||
Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||||
|
||||
This issue has been originally fixed in the master branch, but
|
||||
unfortunately was not backported to stable/v2.41 yet.
|
||||
|
||||
References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
|
||||
References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
|
||||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||
(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
|
||||
---
|
||||
login-utils/setpwnam.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
|
||||
index 3e3c1abde..7778e98f7 100644
|
||||
--- a/login-utils/setpwnam.c
|
||||
+++ b/login-utils/setpwnam.c
|
||||
@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||||
goto fail;
|
||||
|
||||
namelen = strlen(pwd->pw_name);
|
||||
-
|
||||
+ if (namelen > buflen)
|
||||
+ buflen += namelen;
|
||||
linebuf = malloc(buflen);
|
||||
if (!linebuf)
|
||||
goto fail;
|
||||
@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||||
}
|
||||
|
||||
/* Is this the username we were sent to change? */
|
||||
- if (!found && linebuf[namelen] == ':' &&
|
||||
- !strncmp(linebuf, pwd->pw_name, namelen)) {
|
||||
- /* Yes! So go forth in the name of the Lord and
|
||||
- * change it! */
|
||||
+ if (!found &&
|
||||
+ strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
|
||||
+ strlen(linebuf) > namelen &&
|
||||
+ linebuf[namelen] == ':') {
|
||||
+ /* Yes! But this time let’s not walk past the end of the buffer
|
||||
+ * in the name of the Lord, SUID, or anything else. */
|
||||
if (putpwent(pwd, fp) < 0)
|
||||
goto fail;
|
||||
found = 1;
|
||||
--
|
||||
2.51.1
|
||||
|
||||
@ -136,6 +136,8 @@ Patch17: 0017-libblkid-Fix-probe_ioctl_tp-assigning-BLKGETDISKSEQ-.patch
|
||||
Patch18: 0018-libblkid-use-snprintf-instead-of-sprintf.patch
|
||||
# RHEL-122367 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
|
||||
Patch19: 0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
|
||||
# RHEL-133943- login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||||
Patch20: 0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
|
||||
|
||||
|
||||
%description
|
||||
|
||||
Loading…
Reference in New Issue
Block a user