From bde27314c01431821a0dd620a51643ab2170c40b Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 15 Dec 2025 11:44:43 +0100
Subject: [PATCH] Fix heap buffer overread in setpwnam() [CVE-2025-14104]

Resolves: RHEL-133943
---
 ...x-setpwnam-buffer-use-CVE-2025-14104.patch | 50 +++++++++++++++++++
 util-linux.spec                               |  2 +
 2 files changed, 52 insertions(+)
 create mode 100644 0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch

diff --git a/0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch b/0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
new file mode 100644
index 0000000..2b690ea
--- /dev/null
+++ b/0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@@ -0,0 +1,50 @@
+From c84b027a5552b89a1bdbabed1faea7b1583efd1b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 8 Dec 2025 13:36:41 +0100
+Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+
+This issue has been originally fixed in the master branch, but
+unfortunately was not backported to stable/v2.41 yet.
+
+References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
+References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
+---
+ login-utils/setpwnam.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..7778e98f7 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
+-- 
+2.51.1
+
diff --git a/util-linux.spec b/util-linux.spec
index 424fc04..58a036c 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -136,6 +136,8 @@ Patch17: 0017-libblkid-Fix-probe_ioctl_tp-assigning-BLKGETDISKSEQ-.patch
 Patch18: 0018-libblkid-use-snprintf-instead-of-sprintf.patch
 # RHEL-122367 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
 Patch19: 0019-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
+# RHEL-133943- login-utils: fix setpwnam() buffer use [CVE-2025-14104]
+Patch20: 0020-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
 
 
 %description