diff --git a/backport-Update-bufflen.patch b/backport-Update-bufflen.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a51846d1bda2bae100b2504412e2416d611bef1 --- /dev/null +++ b/backport-Update-bufflen.patch @@ -0,0 +1,24 @@ +From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Mon, 26 May 2025 10:06:02 +0100 +Subject: [PATCH] Update bufflen + +Update buflen +--- + login-utils/setpwnam.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 95e470b5a34..7778e98f7cc 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; diff --git a/backport-Update-setpwnam-c.patch b/backport-Update-setpwnam-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..e579b20a1c5983143892bbdbf2c850eba24f2d3e --- /dev/null +++ b/backport-Update-setpwnam-c.patch @@ -0,0 +1,30 @@ +From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Sat, 24 May 2025 03:16:09 +0100 +Subject: [PATCH] Update setpwnam.c + +--- + login-utils/setpwnam.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde50..95e470b5a34 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; diff --git a/util-linux.spec b/util-linux.spec index 3f0ad1c36bcc8c79f2c0febd11d9eb2853f5cc45..326db53334ff5672d5b65fa94915579981c02999 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -2,7 +2,7 @@ Name: util-linux Version: 2.35.2 -Release: 14 +Release: 15 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -68,6 +68,9 @@ Patch6007: backport-write-correctly-handle-wide-characters.patch Patch6008: backport-wall-convert-homebrew-buffering-to-open_memstream.patch Patch6009: backport-wall-use-fputs_careful.patch Patch6010: backport-CVE-2024-28085.patch +# fix CVE-2025-14104 +Patch6011: backport-Update-bufflen.patch +Patch6012: backport-Update-setpwnam-c.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch @@ -421,6 +424,12 @@ fi %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Mon Dec 08 2025 yanglongkang - 2.35.2-15 +- Type:CVE +- CVE:CVE-2025-14104 +- SUG:NA +- DESC:fix CVE-2025-14104 + * Fri Mar 29 2024 cenhuilin - 2.35.2-14 - Type:bugfix - CVE:NA