4 changed files with 2 additions and 305 deletions
--- a/SOURCES/0105-lslogins-use-sd_journal_get_data-in-proper-way.patch
+++ b/SOURCES/0105-lslogins-use-sd_journal_get_data-in-proper-way.patch
@ -1,109 +0,0 @@
 From ee95720a5d0507dfbdac99b0daeab6387cdc5832 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Thu, 22 Jul 2021 11:03:54 +0200
 Subject: lslogins: use sd_journal_get_data() in proper way
 man sd_journal_get_data:
    The returned data is in a read-only memory map and is only valid until the next invocation
    of sd_journal_get_data().
 It means that use data after 3x sd_journal_get_data() is really bad
 idea. It also seems better to not assume the fields are zero
 terminated as journal API works with void* and size_t to address the
 data.
 Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1984704
 Addresses: https://issues.redhat.com/browse/RHEL-117686
 Signed-off-by: Karel Zak <kzak@redhat.com>
 (cherry picked from commit 31d730eb7730f186a0a245f97a09df2fa625f6bd)
 ---
 login-utils/lslogins.c | 57 +++++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 23 deletions(-)
 diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
 index b81afc6c7..f8ce73101 100644
 --- a/login-utils/lslogins.c
 +++ b/login-utils/lslogins.c
@@ -1173,14 +1173,28 @@ static void fill_table(const void *u, const VISIT which, const int depth __attri
 	return;
 }
 #ifdef HAVE_LIBSYSTEMD
 +static char *get_journal_data(sd_journal *j, const char *name)
 +{
 +	const char *data = NULL, *p;
 +	size_t len = 0;
 +
 +	if (sd_journal_get_data(j, name, (const void **) &data, &len) < 0
 +	    || !data || !len)
 +		return NULL;
 +
 +	/* Get rid of journal entry field identifiers */
 +	p = strnchr(data, len, '=');
 +	if (!p || !*(p + 1))
 +		return NULL;
 +	p++;
 +
 +	return xstrndup(p, len - (p - data));
 +}
 +
 static void print_journal_tail(const char *journal_path, uid_t uid, size_t len, int time_mode)
 {
 	sd_journal *j;
 -	char *match, *timestamp;
 -	uint64_t x;
 -	time_t t;
 -	const char *identifier, *pid, *message;
 -	size_t identifier_len, pid_len, message_len;
 +	char *match;
 	if (journal_path)
 		sd_journal_open_directory(&j, journal_path, 0);
@@ -1194,30 +1208,27 @@ static void print_journal_tail(const char *journal_path, uid_t uid, size_t len,
 	sd_journal_previous_skip(j, len);
 	do {
 -		if (0 > sd_journal_get_data(j, "SYSLOG_IDENTIFIER",
 -				(const void **) &identifier, &identifier_len))
 -			goto done;
 -		if (0 > sd_journal_get_data(j, "_PID",
 -				(const void **) &pid, &pid_len))
 -			goto done;
 -		if (0 > sd_journal_get_data(j, "MESSAGE",
 -				(const void **) &message, &message_len))
 -			goto done;
 +		char *id, *pid, *msg, *ts;
 +		uint64_t x;
 +		time_t t;
 		sd_journal_get_realtime_usec(j, &x);
 		t = x / 1000000;
 -		timestamp = make_time(time_mode, t);
 -		/* Get rid of journal entry field identifiers */
 -		identifier = strchr(identifier, '=') + 1;
 -		pid = strchr(pid, '=') + 1;
 -		message = strchr(message, '=') + 1;
 +		ts = make_time(time_mode, t);
 -		fprintf(stdout, "%s %s[%s]: %s\n", timestamp, identifier, pid,
 -			message);
 -		free(timestamp);
 +		id = get_journal_data(j, "SYSLOG_IDENTIFIER");
 +		pid = get_journal_data(j, "_PID");
 +		msg = get_journal_data(j, "MESSAGE");
 +
 +		if (ts && id && pid && msg)
 +			fprintf(stdout, "%s %s[%s]: %s\n", ts, id, pid, msg);
 +
 +		free(ts);
 +		free(id);
 +		free(pid);
 +		free(msg);
 	} while (sd_journal_next(j));
 -done:
 	free(match);
 	sd_journal_flush_matches(j);
 	sd_journal_close(j);
 -- 
 2.51.1
--- a/SOURCES/0106-libblkid-use-snprintf-instead-of-sprintf.patch
+++ b/SOURCES/0106-libblkid-use-snprintf-instead-of-sprintf.patch
@ -1,132 +0,0 @@
 From 6155468eb3039299b1a6bd2ce9f43d5fb1c5e1a5 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Mon, 10 Nov 2025 10:37:09 +0100
 Subject: libblkid: use snprintf() instead of sprintf()
 Replace sprintf() calls with snprintf() to ensure proper bounds
 checking when formatting strings.
 In encode.c, the check now validates snprintf() return value instead
 of pre-checking buffer size, providing more robust error handling.
 In save.c, snprintf() is used with size_t len variables to track
 buffer sizes for temporary and backup filename creation.
 In devname.c, snprintf() is used for both fixed-size buffers (with
 sizeof()) and dynamically allocated buffers (with size_t len
 variables).
 Addresses: https://issues.redhat.com/browse/RHEL-123531
 Signed-off-by: Karel Zak <kzak@redhat.com>
 ---
 libblkid/src/devname.c | 16 +++++++++-------
 libblkid/src/encode.c  |  6 ++++--
 libblkid/src/save.c    | 10 ++++++----
 3 files changed, 19 insertions(+), 13 deletions(-)
 diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
 index 59029ec06..56459ebd0 100644
 --- a/libblkid/src/devname.c
 +++ b/libblkid/src/devname.c
@@ -163,7 +163,7 @@ static int is_dm_leaf(const char *devname)
 		    strncmp(de->d_name, "dm-", 3) ||
 		    strlen(de->d_name) > sizeof(path)-32)
 			continue;
 -		sprintf(path, "/sys/block/%s/slaves", de->d_name);
 +		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
 		if ((d_dir = opendir(path)) == NULL)
 			continue;
 		while ((d_de = readdir(d_dir)) != NULL) {
@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
 		char		*vdirname;
 		char		*vg_name;
 		struct dirent	*lv_iter;
 +		size_t		len;
 		vg_name = vg_iter->d_name;
 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
 			continue;
 -		vdirname = malloc(vg_len + strlen(vg_name) + 8);
 +		len = vg_len + strlen(vg_name) + 8;
 +		vdirname = malloc(len);
 		if (!vdirname)
 			goto exit;
 -		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
 +		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
 		lv_list = opendir(vdirname);
 		free(vdirname);
@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
 				continue;
 -			lvm_device = malloc(vg_len + strlen(vg_name) +
 -					    strlen(lv_name) + 8);
 +			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
 +			lvm_device = malloc(len);
 			if (!lvm_device) {
 				closedir(lv_list);
 				goto exit;
 			}
 -			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
 +			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
 				lv_name);
 			dev = lvm_get_devno(lvm_device);
 -			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
 +			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
 			DBG(DEVNAME, ul_debug("LVM dev %s: devno 0x%04X",
 						  lvm_device,
 						  (unsigned int) dev));
 diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
 index 33d349127..855ea8057 100644
 --- a/libblkid/src/encode.c
 +++ b/libblkid/src/encode.c
@@ -315,9 +315,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
 			j += seqlen;
 			i += (seqlen-1);
 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
 -			if (len-j < 4)
 +			int rc;
 +
 +			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
 +			if (rc != 4)
 				goto err;
 -			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
 			j += 4;
 		} else {
 			if (len-j < 1)
 diff --git a/libblkid/src/save.c b/libblkid/src/save.c
 index 21308a9cf..f21ae6d41 100644
 --- a/libblkid/src/save.c
 +++ b/libblkid/src/save.c
@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
 	 * a temporary file then we open it directly.
 	 */
 	if (ret == 0 && S_ISREG(st.st_mode)) {
 -		tmp = malloc(strlen(filename) + 8);
 +		size_t len = strlen(filename) + 8;
 +		tmp = malloc(len);
 		if (tmp) {
 -			sprintf(tmp, "%s-XXXXXX", filename);
 +			snprintf(tmp, len, "%s-XXXXXX", filename);
 			fd = mkstemp_cloexec(tmp);
 			if (fd >= 0) {
 				if (fchmod(fd, 0644) != 0)
@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
 		} else {
 			char *backup;
 +			size_t len = strlen(filename) + 5;
 -			backup = malloc(strlen(filename) + 5);
 +			backup = malloc(len);
 			if (backup) {
 -				sprintf(backup, "%s.old", filename);
 +				snprintf(backup, len, "%s.old", filename);
 				unlink(backup);
 				if (link(filename, backup)) {
 					DBG(SAVE, ul_debug("can't link %s to %s",
 -- 
 2.51.1
--- a/SOURCES/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+++ b/SOURCES/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
@ -1,50 +0,0 @@
 From 680184cb5d3aeb0c92b6dea8056b0c9c0f57e7f6 Mon Sep 17 00:00:00 2001
 From: Karel Zak <kzak@redhat.com>
 Date: Mon, 8 Dec 2025 13:36:41 +0100
 Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
 This issue has been originally fixed in the master branch, but
 unfortunately was not backported to stable/v2.41 yet.
 References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
 References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
 Signed-off-by: Karel Zak <kzak@redhat.com>
 (cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
 ---
 login-utils/setpwnam.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
 index 0616c7923..07940eff0 100644
 --- a/login-utils/setpwnam.c
 +++ b/login-utils/setpwnam.c
@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
 		goto fail;
 	namelen = strlen(pwd->pw_name);
 -
 +	if (namelen > buflen)
 +		buflen += namelen;
 	linebuf = malloc(buflen);
 	if (!linebuf)
 		goto fail;
@@ -128,10 +129,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
 		}
 		/* Is this the username we were sent to change? */
 -		if (!found && linebuf[namelen] == ':' &&
 -		    !strncmp(linebuf, pwd->pw_name, namelen)) {
 -			/* Yes! So go forth in the name of the Lord and
 -			 * change it!  */
 +		if (!found &&
 +		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
 +		    strlen(linebuf) > namelen &&
 +		    linebuf[namelen] == ':') {
 +			/* Yes! But this time let’s not walk past the end of the buffer
 +			 * in the name of the Lord, SUID, or anything else. */
 			if (putpwent(pwd, fp) < 0)
 				goto fail;
 			found = true;
 -- 
 2.51.1
--- a/SPECS/util-linux.spec
+++ b/SPECS/util-linux.spec
@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.32.1
-Release: 48%{?dist}
+Release: 46%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: http://en.wikipedia.org/wiki/Util-linux
@ -304,12 +304,7 @@ Patch102: 0102-libblkid-bsd-fix-buffer-pointer-use-fuzzing.patch
 Patch103: 0103-libblkid-probe-fix-size-and-offset-overflows-fuzzing.patch
 # RHEL-6274 - lslogins incorrect account expiration field
 Patch104: 0104-timeutils-match-today-day-and-this-year-correctly.patch
-# RHEL-117686 - lslogins: use sd_journal_get_data() in proper way
+
 Patch105: 0105-lslogins-use-sd_journal_get_data-in-proper-way.patch
 # RHEL-134296 - libblkid: use snprintf() instead of sprintf()
 Patch106: 0106-libblkid-use-snprintf-instead-of-sprintf.patch
 # RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
 Patch107: 0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
 %description
@ -1159,13 +1154,6 @@ fi
 %{_libdir}/python*/site-packages/libmount/
 %changelog
 * Mon Dec 15 2025 Karel Zak <kzak@redhat.com> 2.32.1-48
 - fix RHEL-134296 - libblkid: use snprintf() instead of sprintf()
 - fix RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
 * Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.32.1-47
 - fix RHEL-117686 - lslogins: use sd_journal_get_data() in proper way
 * Thu Feb 08 2024 Karel Zak <kzak@redhat.com> 2.32.1-46
 - fix RHEL-13741 - lscpu: avoid EBUSY on cpuinfo_max_freq
 - fix RHEL-18451 - logger: initialize socket credentials control union