From f6783d9c7dc6ca75d24585325814a869299c6f56 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 8 Dec 2025 13:36:41 +0100
Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]

This issue has been originally fixed in the master branch, but
unfortunately was not backported to stable/v2.41 yet.

References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
Signed-off-by: Karel Zak <kzak@redhat.com>
(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
---
 login-utils/setpwnam.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
index 3e3c1abde..7778e98f7 100644
--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
 		goto fail;
 
 	namelen = strlen(pwd->pw_name);
-
+	if (namelen > buflen)
+		buflen += namelen;
 	linebuf = malloc(buflen);
 	if (!linebuf)
 		goto fail;
@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
 		}
 
 		/* Is this the username we were sent to change? */
-		if (!found && linebuf[namelen] == ':' &&
-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
-			/* Yes! So go forth in the name of the Lord and
-			 * change it!  */
+		if (!found &&
+		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
+		    strlen(linebuf) > namelen &&
+		    linebuf[namelen] == ':') {
+			/* Yes! But this time let’s not walk past the end of the buffer
+			 * in the name of the Lord, SUID, or anything else. */
 			if (putpwent(pwd, fp) < 0)
 				goto fail;
 			found = 1;
-- 
2.51.1