51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From f6783d9c7dc6ca75d24585325814a869299c6f56 Mon Sep 17 00:00:00 2001
|
||
From: Karel Zak <kzak@redhat.com>
|
||
Date: Mon, 8 Dec 2025 13:36:41 +0100
|
||
Subject: login-utils: fix setpwnam() buffer use [CVE-2025-14104]
|
||
|
||
This issue has been originally fixed in the master branch, but
|
||
unfortunately was not backported to stable/v2.41 yet.
|
||
|
||
References: aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
|
||
References: 9a36d77012c4c771f8d51eba46b6e62c29bf572a
|
||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||
(cherry picked from commit 9753e6ad9705104c3b05713f79ad6732cc4c7b30)
|
||
---
|
||
login-utils/setpwnam.c | 13 ++++++++-----
|
||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||
|
||
diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
|
||
index 3e3c1abde..7778e98f7 100644
|
||
--- a/login-utils/setpwnam.c
|
||
+++ b/login-utils/setpwnam.c
|
||
@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||
goto fail;
|
||
|
||
namelen = strlen(pwd->pw_name);
|
||
-
|
||
+ if (namelen > buflen)
|
||
+ buflen += namelen;
|
||
linebuf = malloc(buflen);
|
||
if (!linebuf)
|
||
goto fail;
|
||
@@ -126,10 +127,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
|
||
}
|
||
|
||
/* Is this the username we were sent to change? */
|
||
- if (!found && linebuf[namelen] == ':' &&
|
||
- !strncmp(linebuf, pwd->pw_name, namelen)) {
|
||
- /* Yes! So go forth in the name of the Lord and
|
||
- * change it! */
|
||
+ if (!found &&
|
||
+ strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
|
||
+ strlen(linebuf) > namelen &&
|
||
+ linebuf[namelen] == ':') {
|
||
+ /* Yes! But this time let’s not walk past the end of the buffer
|
||
+ * in the name of the Lord, SUID, or anything else. */
|
||
if (putpwent(pwd, fp) < 0)
|
||
goto fail;
|
||
found = 1;
|
||
--
|
||
2.51.1
|
||
|