From bf0257873351d1814ef6ebc00dd4c2f446c1a432 Mon Sep 17 00:00:00 2001 From: markeryang Date: Mon, 20 Oct 2025 08:58:27 +0000 Subject: [PATCH] backport community patches --- backport-Update-bufflen.patch | 24 +++++++ backport-Update-setpwnam-c.patch | 30 ++++++++ ...libmount-verity-fix-deinitialization.patch | 43 +++++++++++ ...-fix-buffer-overflow-when-read-stdin.patch | 28 ++++++++ ...le-buffer-overflow-in-cpuinfo-parser.patch | 34 +++++++++ ...ignore-stdin-when-waiting-for-stderr.patch | 72 +++++++++++++++++++ util-linux.spec | 11 ++- 7 files changed, 241 insertions(+), 1 deletion(-) create mode 100644 backport-Update-bufflen.patch create mode 100644 backport-Update-setpwnam-c.patch create mode 100644 backport-libmount-verity-fix-deinitialization.patch create mode 100644 backport-logger-fix-buffer-overflow-when-read-stdin.patch create mode 100644 backport-lscpu-fix-possible-buffer-overflow-in-cpuinfo-parser.patch create mode 100644 backport-more-temporarily-ignore-stdin-when-waiting-for-stderr.patch diff --git a/backport-Update-bufflen.patch b/backport-Update-bufflen.patch new file mode 100644 index 0000000..1a51846 --- /dev/null +++ b/backport-Update-bufflen.patch @@ -0,0 +1,24 @@ +From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Mon, 26 May 2025 10:06:02 +0100 +Subject: [PATCH] Update bufflen + +Update buflen +--- + login-utils/setpwnam.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 95e470b5a34..7778e98f7cc 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; diff --git a/backport-Update-setpwnam-c.patch b/backport-Update-setpwnam-c.patch new file mode 100644 index 0000000..e579b20 --- /dev/null +++ b/backport-Update-setpwnam-c.patch @@ -0,0 +1,30 @@ +From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Sat, 24 May 2025 03:16:09 +0100 +Subject: [PATCH] Update setpwnam.c + +--- + login-utils/setpwnam.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde50..95e470b5a34 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; diff --git a/backport-libmount-verity-fix-deinitialization.patch b/backport-libmount-verity-fix-deinitialization.patch new file mode 100644 index 0000000..0253d43 --- /dev/null +++ b/backport-libmount-verity-fix-deinitialization.patch @@ -0,0 +1,43 @@ +From 09a306d6528581a4f3ecbeedf315108f99c872c3 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 26 May 2025 17:57:34 +0200 +Subject: [PATCH] libmount: (verity) fix deinitialization + +Fixes: https://github.com/util-linux/util-linux/issues/3592 +Signed-off-by: Karel Zak +--- + libmount/src/hook_veritydev.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/libmount/src/hook_veritydev.c b/libmount/src/hook_veritydev.c +index 5bb58d0903c..12c63089714 100644 +--- a/libmount/src/hook_veritydev.c ++++ b/libmount/src/hook_veritydev.c +@@ -180,9 +180,13 @@ static struct hookset_data *new_hookset_data( + struct libmnt_context *cxt, + const struct libmnt_hookset *hs) + { +- struct hookset_data *hsd = calloc(1, sizeof(struct hookset_data)); ++ struct hookset_data *hsd; ++ ++ hsd = calloc(1, sizeof(struct hookset_data)); ++ if (!hsd) ++ return NULL; + +- if (hsd && mnt_context_set_hookset_data(cxt, hs, hsd) != 0) ++ if (mnt_context_set_hookset_data(cxt, hs, hsd) != 0) + goto failed; + + #ifdef CRYPTSETUP_VIA_DLOPEN +@@ -196,7 +200,10 @@ static struct hookset_data *new_hookset_data( + + return hsd; + failed: +- free(hsd); ++ if (mnt_context_get_hookset_data(cxt, hs)) ++ free_hookset_data(cxt, hs); ++ else ++ free(hsd); + return NULL; + } + diff --git a/backport-logger-fix-buffer-overflow-when-read-stdin.patch b/backport-logger-fix-buffer-overflow-when-read-stdin.patch new file mode 100644 index 0000000..36e84ca --- /dev/null +++ b/backport-logger-fix-buffer-overflow-when-read-stdin.patch @@ -0,0 +1,28 @@ +From f9cdc91be0442b887e4a636fbb75f027f0267a84 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Wed, 10 Sep 2025 10:31:23 +0200 +Subject: [PATCH] logger: fix buffer overflow when read stdin + +$ perl -e 'print "<" . "0"x10240' | logger --prio-prefix +Segmentation fault (core dumped) + +Signed-off-by: Karel Zak +--- + misc-utils/logger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/misc-utils/logger.c b/misc-utils/logger.c +index a674ef0cf94..d27c8064f32 100644 +--- a/misc-utils/logger.c ++++ b/misc-utils/logger.c +@@ -1025,7 +1025,9 @@ static void logger_stdin(struct logger_ctl *ctl) + if (ctl->prio_prefix && c == '<') { + pri = 0; + buf[i++] = c; +- while (isdigit(c = getchar()) && pri <= 191) { ++ while (i < ctl->max_message_size ++ && isdigit(c = getchar()) && pri <= 191) { ++ + buf[i++] = c; + pri = pri * 10 + c - '0'; + } diff --git a/backport-lscpu-fix-possible-buffer-overflow-in-cpuinfo-parser.patch b/backport-lscpu-fix-possible-buffer-overflow-in-cpuinfo-parser.patch new file mode 100644 index 0000000..b8f47a2 --- /dev/null +++ b/backport-lscpu-fix-possible-buffer-overflow-in-cpuinfo-parser.patch @@ -0,0 +1,34 @@ +From ea04d719352add738251446315cebdada90171a9 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 20 May 2025 10:10:59 +0200 +Subject: [PATCH] lscpu: fix possible buffer overflow in cpuinfo parser + +Addresses: https://github.com/util-linux/util-linux/pull/3577 +Signed-off-by: Karel Zak +--- + sys-utils/lscpu-cputype.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sys-utils/lscpu-cputype.c b/sys-utils/lscpu-cputype.c +index bdb33ac783b..0626df6a0cd 100644 +--- a/sys-utils/lscpu-cputype.c ++++ b/sys-utils/lscpu-cputype.c +@@ -288,7 +288,7 @@ static const struct cpuinfo_pattern cache_patterns[] = + DEF_PAT_CACHE("cache", PAT_CACHE), + }; + +-#define CPUTYPE_PATTERN_BUFSZ 32 ++#define CPUTYPE_PATTERN_BUFSZ 128 + + static int cmp_pattern(const void *a0, const void *b0) + { +@@ -462,8 +462,7 @@ static const struct cpuinfo_pattern *cpuinfo_parse_line(char *str, char **value, + return NULL; + + /* prepare name of the field */ +- xstrncpy(buf, p, sizeof(buf)); +- buf[v - p] = '\0'; ++ xstrncpy(buf, p, min((size_t)(v - p)+1, sizeof(buf))); + v++; + + /* prepare value */ diff --git a/backport-more-temporarily-ignore-stdin-when-waiting-for-stderr.patch b/backport-more-temporarily-ignore-stdin-when-waiting-for-stderr.patch new file mode 100644 index 0000000..6748feb --- /dev/null +++ b/backport-more-temporarily-ignore-stdin-when-waiting-for-stderr.patch @@ -0,0 +1,72 @@ +From 85cbb5f5449be75d51b064681f0d92adf31f59be Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 30 Jun 2025 12:20:13 +0200 +Subject: [PATCH] more: temporarily ignore stdin when waiting for stderr + +more waits for user commands on stderr, but at the same time, it +monitors sigalfd and stdin (for data and POLLHUP|POLLNVAL). We need to +temporarily ignore stdin if there is new data waiting for read() +(e.g., dmesg | more); otherwise, more_key_command() will end in a busy +loop. + +Fixes: https://github.com/util-linux/util-linux/issues/3634 +Signed-off-by: Karel Zak +--- + text-utils/more.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/text-utils/more.c b/text-utils/more.c +index fa5513fd0d8..51c63e9245c 100644 +--- a/text-utils/more.c ++++ b/text-utils/more.c +@@ -204,6 +204,7 @@ struct more_control { + #endif + unsigned int + ignore_stdin:1, /* POLLHUP; peer closed pipe */ ++ pending_stdin, /* data on stdin temporary ignored when waiting for stderr */ + bad_stdout:1, /* true if overwriting does not turn off standout */ + catch_suspend:1, /* we should catch the SIGTSTP signal */ + clear_line_ends:1, /* do not scroll, paint each screen from the top */ +@@ -1378,11 +1379,14 @@ static int more_poll(struct more_control *ctl, int timeout, int *stderr_active) + + if (stderr_active) + *stderr_active = 0; ++ else ++ /* always check stdin if not care about stderr */ ++ ctl->pending_stdin = 0; + + while (!has_data) { + int rc; + +- if (ctl->ignore_stdin) ++ if (ctl->ignore_stdin || ctl->pending_stdin) + pfd[POLLFD_STDIN].fd = -1; /* probably closed, ignore */ + + rc = poll(pfd, ARRAY_SIZE(pfd), timeout); +@@ -1440,8 +1444,11 @@ static int more_poll(struct more_control *ctl, int timeout, int *stderr_active) + if ((pfd[POLLFD_STDIN].revents & POLLHUP) || + (pfd[POLLFD_STDIN].revents & POLLNVAL)) + ctl->ignore_stdin = 1; +- else ++ else { + has_data++; ++ if (ctl->current_file == stdin) ++ ctl->pending_stdin = 1; ++ } + } + + /* event on stderr (we reads user commands from stderr!) */ +@@ -1690,6 +1697,13 @@ static int more_key_command(struct more_control *ctl, char *filename) + continue; + if (stderr_active == 0) + continue; ++ ++ /* There could be new data on stdin (e.g. prog | more) while ++ * we are waiting for user's activity on stderr. These stdin ++ * events are temporarily ignored to avoid a busy loop. Let's ++ * reset this to ensure stdin is checked next time. */ ++ ctl->pending_stdin = 0; ++ + cmd = read_command(ctl); + if (cmd.key == more_kc_unknown_command) + continue; diff --git a/util-linux.spec b/util-linux.spec index 3d1ba40..938df26 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -3,7 +3,7 @@ Name: util-linux Version: 2.39.1 -Release: 29 +Release: 30 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -120,6 +120,12 @@ Patch6098: backport-libsmartcols-fix-reduction-stages-use.patch Patch6099: backport-lsblk-use-md-as-fallback-TYPE-when-md-level-empty.patch Patch6100: backport-lsblk-fix-memory-leak.patch Patch6101: backport-lsblk-fix-possible-use-after-free.patch +Patch6102: backport-lscpu-fix-possible-buffer-overflow-in-cpuinfo-parser.patch +Patch6103: backport-Update-setpwnam-c.patch +Patch6104: backport-Update-bufflen.patch +Patch6105: backport-libmount-verity-fix-deinitialization.patch +Patch6106: backport-more-temporarily-ignore-stdin-when-waiting-for-stderr.patch +Patch6107: backport-logger-fix-buffer-overflow-when-read-stdin.patch Patch9000: SKIPPED-no-root-permissions-test.patch Patch9001: util-linux-Add-sw64-architecture.patch @@ -486,6 +492,9 @@ fi %endif %changelog +* Mon Oct 20 2025 yanglongkang - 2.39.1-30 +- backport community patches + * Fri Sep 19 2025 cenhuilin - 2.39.1-29 - Type:bugfix - CVE:NA -- Gitee