SOURCES/0105-lslogins-use-sd_journal_get_data-in-proper-way.patch

@@ -1,109 +0,0 @@
-From ee95720a5d0507dfbdac99b0daeab6387cdc5832 Mon Sep 17 00:00:00 2001
-From: Karel Zak <kzak@redhat.com>
-Date: Thu, 22 Jul 2021 11:03:54 +0200
-Subject: lslogins: use sd_journal_get_data() in proper way
-
-man sd_journal_get_data:
-    The returned data is in a read-only memory map and is only valid until the next invocation
-    of sd_journal_get_data().
-
-It means that use data after 3x sd_journal_get_data() is really bad
-idea. It also seems better to not assume the fields are zero
-terminated as journal API works with void* and size_t to address the
-data.
-
-Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1984704
-Addresses: https://issues.redhat.com/browse/RHEL-117686
-Signed-off-by: Karel Zak <kzak@redhat.com>
-(cherry picked from commit 31d730eb7730f186a0a245f97a09df2fa625f6bd)
----
- login-utils/lslogins.c | 57 +++++++++++++++++++++++++-----------------
- 1 file changed, 34 insertions(+), 23 deletions(-)
-
-diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
-index b81afc6c7..f8ce73101 100644
---- a/login-utils/lslogins.c
-+++ b/login-utils/lslogins.c
-@@ -1173,14 +1173,28 @@ static void fill_table(const void *u, const VISIT which, const int depth __attri
- 	return;
- }
- #ifdef HAVE_LIBSYSTEMD
-+static char *get_journal_data(sd_journal *j, const char *name)
-+{
-+	const char *data = NULL, *p;
-+	size_t len = 0;
-+
-+	if (sd_journal_get_data(j, name, (const void **) &data, &len) < 0
-+	    || !data || !len)
-+		return NULL;
-+
-+	/* Get rid of journal entry field identifiers */
-+	p = strnchr(data, len, '=');
-+	if (!p || !*(p + 1))
-+		return NULL;
-+	p++;
-+
-+	return xstrndup(p, len - (p - data));
-+}
-+
- static void print_journal_tail(const char *journal_path, uid_t uid, size_t len, int time_mode)
- {
- 	sd_journal *j;
--	char *match, *timestamp;
--	uint64_t x;
--	time_t t;
--	const char *identifier, *pid, *message;
--	size_t identifier_len, pid_len, message_len;
-+	char *match;
- 
- 	if (journal_path)
- 		sd_journal_open_directory(&j, journal_path, 0);
-@@ -1194,30 +1208,27 @@ static void print_journal_tail(const char *journal_path, uid_t uid, size_t len,
- 	sd_journal_previous_skip(j, len);
- 
- 	do {
--		if (0 > sd_journal_get_data(j, "SYSLOG_IDENTIFIER",
--				(const void **) &identifier, &identifier_len))
--			goto done;
--		if (0 > sd_journal_get_data(j, "_PID",
--				(const void **) &pid, &pid_len))
--			goto done;
--		if (0 > sd_journal_get_data(j, "MESSAGE",
--				(const void **) &message, &message_len))
--			goto done;
-+		char *id, *pid, *msg, *ts;
-+		uint64_t x;
-+		time_t t;
- 
- 		sd_journal_get_realtime_usec(j, &x);
- 		t = x / 1000000;
--		timestamp = make_time(time_mode, t);
--		/* Get rid of journal entry field identifiers */
--		identifier = strchr(identifier, '=') + 1;
--		pid = strchr(pid, '=') + 1;
--		message = strchr(message, '=') + 1;
-+		ts = make_time(time_mode, t);
- 
--		fprintf(stdout, "%s %s[%s]: %s\n", timestamp, identifier, pid,
--			message);
--		free(timestamp);
-+		id = get_journal_data(j, "SYSLOG_IDENTIFIER");
-+		pid = get_journal_data(j, "_PID");
-+		msg = get_journal_data(j, "MESSAGE");
-+
-+		if (ts && id && pid && msg)
-+			fprintf(stdout, "%s %s[%s]: %s\n", ts, id, pid, msg);
-+
-+		free(ts);
-+		free(id);
-+		free(pid);
-+		free(msg);
- 	} while (sd_journal_next(j));
- 
--done:
- 	free(match);
- 	sd_journal_flush_matches(j);
- 	sd_journal_close(j);
--- 
-2.51.1
-

SOURCES/0106-libblkid-use-snprintf-instead-of-sprintf.patch

@@ -1,132 +0,0 @@
-From 6155468eb3039299b1a6bd2ce9f43d5fb1c5e1a5 Mon Sep 17 00:00:00 2001
-From: Karel Zak <kzak@redhat.com>
-Date: Mon, 10 Nov 2025 10:37:09 +0100
-Subject: libblkid: use snprintf() instead of sprintf()
-
-Replace sprintf() calls with snprintf() to ensure proper bounds
-checking when formatting strings.
-
-In encode.c, the check now validates snprintf() return value instead
-of pre-checking buffer size, providing more robust error handling.
-
-In save.c, snprintf() is used with size_t len variables to track
-buffer sizes for temporary and backup filename creation.
-
-In devname.c, snprintf() is used for both fixed-size buffers (with
-sizeof()) and dynamically allocated buffers (with size_t len
-variables).
-
-Addresses: https://issues.redhat.com/browse/RHEL-123531
-
-Signed-off-by: Karel Zak <kzak@redhat.com>
----
- libblkid/src/devname.c | 16 +++++++++-------
- libblkid/src/encode.c  |  6 ++++--
- libblkid/src/save.c    | 10 ++++++----
- 3 files changed, 19 insertions(+), 13 deletions(-)
-
-diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
-index 59029ec06..56459ebd0 100644
---- a/libblkid/src/devname.c
-+++ b/libblkid/src/devname.c
-@@ -163,7 +163,7 @@ static int is_dm_leaf(const char *devname)
- 		    strncmp(de->d_name, "dm-", 3) ||
- 		    strlen(de->d_name) > sizeof(path)-32)
- 			continue;
--		sprintf(path, "/sys/block/%s/slaves", de->d_name);
-+		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
- 		if ((d_dir = opendir(path)) == NULL)
- 			continue;
- 		while ((d_de = readdir(d_dir)) != NULL) {
-@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
- 		char		*vdirname;
- 		char		*vg_name;
- 		struct dirent	*lv_iter;
-+		size_t		len;
- 
- 		vg_name = vg_iter->d_name;
- 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
- 			continue;
--		vdirname = malloc(vg_len + strlen(vg_name) + 8);
-+		len = vg_len + strlen(vg_name) + 8;
-+		vdirname = malloc(len);
- 		if (!vdirname)
- 			goto exit;
--		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
-+		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
- 
- 		lv_list = opendir(vdirname);
- 		free(vdirname);
-@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
- 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
- 				continue;
- 
--			lvm_device = malloc(vg_len + strlen(vg_name) +
--					    strlen(lv_name) + 8);
-+			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
-+			lvm_device = malloc(len);
- 			if (!lvm_device) {
- 				closedir(lv_list);
- 				goto exit;
- 			}
--			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
-+			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
- 				lv_name);
- 			dev = lvm_get_devno(lvm_device);
--			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
-+			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
- 			DBG(DEVNAME, ul_debug("LVM dev %s: devno 0x%04X",
- 						  lvm_device,
- 						  (unsigned int) dev));
-diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
-index 33d349127..855ea8057 100644
---- a/libblkid/src/encode.c
-+++ b/libblkid/src/encode.c
-@@ -315,9 +315,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
- 			j += seqlen;
- 			i += (seqlen-1);
- 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
--			if (len-j < 4)
-+			int rc;
-+
-+			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
-+			if (rc != 4)
- 				goto err;
--			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
- 			j += 4;
- 		} else {
- 			if (len-j < 1)
-diff --git a/libblkid/src/save.c b/libblkid/src/save.c
-index 21308a9cf..f21ae6d41 100644
---- a/libblkid/src/save.c
-+++ b/libblkid/src/save.c
-@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
- 	 * a temporary file then we open it directly.
- 	 */
- 	if (ret == 0 && S_ISREG(st.st_mode)) {
--		tmp = malloc(strlen(filename) + 8);
-+		size_t len = strlen(filename) + 8;
-+		tmp = malloc(len);
- 		if (tmp) {
--			sprintf(tmp, "%s-XXXXXX", filename);
-+			snprintf(tmp, len, "%s-XXXXXX", filename);
- 			fd = mkstemp_cloexec(tmp);
- 			if (fd >= 0) {
- 				if (fchmod(fd, 0644) != 0)
-@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
- 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
- 		} else {
- 			char *backup;
-+			size_t len = strlen(filename) + 5;
- 
--			backup = malloc(strlen(filename) + 5);
-+			backup = malloc(len);
- 			if (backup) {
--				sprintf(backup, "%s.old", filename);
-+				snprintf(backup, len, "%s.old", filename);
- 				unlink(backup);
- 				if (link(filename, backup)) {
- 					DBG(SAVE, ul_debug("can't link %s to %s",
--- 
-2.51.1
-

SOURCES/0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch

@@ -1,50 +0,0 @@
-From 680184cb5d3aeb0c92b6dea8056b0c9c0f57e7f6 Mon Sep 17 00:00:00 2001
-From: Karel Zak <kzak@redhat.com>
-Date: Mon, 8 Dec 2025 13:36:41 +0100
-Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
-
-This issue has been originally fixed in the master branch, but
-unfortunately was not backported to stable/v2.41 yet.
-
-References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
-References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
-Signed-off-by: Karel Zak <kzak@redhat.com>
-(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
----
- login-utils/setpwnam.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
-index 0616c7923..07940eff0 100644
---- a/login-utils/setpwnam.c
-+++ b/login-utils/setpwnam.c
-@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
- 		goto fail;
- 
- 	namelen = strlen(pwd->pw_name);
--
-+	if (namelen > buflen)
-+		buflen += namelen;
- 	linebuf = malloc(buflen);
- 	if (!linebuf)
- 		goto fail;
-@@ -128,10 +129,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
- 		}
- 
- 		/* Is this the username we were sent to change? */
--		if (!found && linebuf[namelen] == ':' &&
--		    !strncmp(linebuf, pwd->pw_name, namelen)) {
--			/* Yes! So go forth in the name of the Lord and
--			 * change it!  */
-+		if (!found &&
-+		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
-+		    strlen(linebuf) > namelen &&
-+		    linebuf[namelen] == ':') {
-+			/* Yes! But this time let’s not walk past the end of the buffer
-+			 * in the name of the Lord, SUID, or anything else. */
- 			if (putpwent(pwd, fp) < 0)
- 				goto fail;
- 			found = true;
--- 
-2.51.1
-

SPECS/util-linux.spec

@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.32.1
-Release: 48%{?dist}
+Release: 46%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: http://en.wikipedia.org/wiki/Util-linux
@@ -304,12 +304,7 @@ Patch102: 0102-libblkid-bsd-fix-buffer-pointer-use-fuzzing.patch
 Patch103: 0103-libblkid-probe-fix-size-and-offset-overflows-fuzzing.patch
 # RHEL-6274 - lslogins incorrect account expiration field
 Patch104: 0104-timeutils-match-today-day-and-this-year-correctly.patch
-# RHEL-117686 - lslogins: use sd_journal_get_data() in proper way
-Patch105: 0105-lslogins-use-sd_journal_get_data-in-proper-way.patch
-# RHEL-134296 - libblkid: use snprintf() instead of sprintf()
-Patch106: 0106-libblkid-use-snprintf-instead-of-sprintf.patch
-# RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
-Patch107: 0107-login-utils-fix-setpwnam-buffer-use-CVE-2025-14104.patch
+
 
 
 %description
@@ -1159,13 +1154,6 @@ fi
 %{_libdir}/python*/site-packages/libmount/
 
 %changelog
-* Mon Dec 15 2025 Karel Zak <kzak@redhat.com> 2.32.1-48
-- fix RHEL-134296 - libblkid: use snprintf() instead of sprintf()
-- fix RHEL-133946 - login-utils: fix setpwnam() buffer use [CVE-2025-14104]
-
-* Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.32.1-47
-- fix RHEL-117686 - lslogins: use sd_journal_get_data() in proper way
-
 * Thu Feb 08 2024 Karel Zak <kzak@redhat.com> 2.32.1-46
 - fix RHEL-13741 - lscpu: avoid EBUSY on cpuinfo_max_freq
 - fix RHEL-18451 - logger: initialize socket credentials control union