From 3ff9df08bf7dd0fbc20ff14ca0447fa5bf8a2945 Mon Sep 17 00:00:00 2001 From: yanglongkang Date: Mon, 8 Dec 2025 17:22:09 +0800 Subject: [PATCH] fix CVE-2025-14104 --- backport-Update-bufflen.patch | 24 ++++++++++++++++++++++++ backport-Update-setpwnam-c.patch | 30 ++++++++++++++++++++++++++++++ util-linux.spec | 11 ++++++++++- 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 backport-Update-bufflen.patch create mode 100644 backport-Update-setpwnam-c.patch diff --git a/backport-Update-bufflen.patch b/backport-Update-bufflen.patch new file mode 100644 index 0000000..1a51846 --- /dev/null +++ b/backport-Update-bufflen.patch @@ -0,0 +1,24 @@ +From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Mon, 26 May 2025 10:06:02 +0100 +Subject: [PATCH] Update bufflen + +Update buflen +--- + login-utils/setpwnam.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 95e470b5a34..7778e98f7cc 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; diff --git a/backport-Update-setpwnam-c.patch b/backport-Update-setpwnam-c.patch new file mode 100644 index 0000000..e579b20 --- /dev/null +++ b/backport-Update-setpwnam-c.patch @@ -0,0 +1,30 @@ +From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Sat, 24 May 2025 03:16:09 +0100 +Subject: [PATCH] Update setpwnam.c + +--- + login-utils/setpwnam.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde50..95e470b5a34 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; diff --git a/util-linux.spec b/util-linux.spec index 92d7915..ed050d9 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -2,7 +2,7 @@ Name: util-linux Version: 2.35.2 -Release: 24 +Release: 25 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -95,6 +95,9 @@ Patch6015: backport-mkfs.bfs-fix-memory-leaks-and-weak-code.patch Patch6016: backport-lsblk-use-md-as-fallback-TYPE-when-md-level-empty.patch Patch6017: backport-lsblk-fix-memory-leak.patch Patch6018: backport-lsblk-fix-possible-use-after-free.patch +# fix CVE-2025-14104 +Patch6019: backport-Update-bufflen.patch +Patch6020: backport-Update-setpwnam-c.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9001: modify-rescuemode-chinese-error.patch @@ -453,6 +456,12 @@ fi %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Mon Dec 08 2025 yanglongkang - 2.35.2-25 +- Type:CVE +- CVE:CVE-2025-14104 +- SUG:NA +- DESC:fix CVE-2025-14104 + * Fri Sep 19 2025 cenhuilin - 2.35.2-24 - Type:bugfix - CVE:NA -- Gitee