diff --git a/0010-bugfix-for-CVE-2025-14104-1.patch b/0010-bugfix-for-CVE-2025-14104-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..e579b20a1c5983143892bbdbf2c850eba24f2d3e --- /dev/null +++ b/0010-bugfix-for-CVE-2025-14104-1.patch @@ -0,0 +1,30 @@ +From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Sat, 24 May 2025 03:16:09 +0100 +Subject: [PATCH] Update setpwnam.c + +--- + login-utils/setpwnam.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 3e3c1abde50..95e470b5a34 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix) + } + + /* Is this the username we were sent to change? */ +- if (!found && linebuf[namelen] == ':' && +- !strncmp(linebuf, pwd->pw_name, namelen)) { +- /* Yes! So go forth in the name of the Lord and +- * change it! */ ++ if (!found && ++ strncmp(linebuf, pwd->pw_name, namelen) == 0 && ++ strlen(linebuf) > namelen && ++ linebuf[namelen] == ':') { ++ /* Yes! But this time let’s not walk past the end of the buffer ++ * in the name of the Lord, SUID, or anything else. */ + if (putpwent(pwd, fp) < 0) + goto fail; + found = 1; diff --git a/0010-bugfix-for-CVE-2025-14104-2.patch b/0010-bugfix-for-CVE-2025-14104-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a51846d1bda2bae100b2504412e2416d611bef1 --- /dev/null +++ b/0010-bugfix-for-CVE-2025-14104-2.patch @@ -0,0 +1,24 @@ +From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001 +From: Mohamed Maatallah +Date: Mon, 26 May 2025 10:06:02 +0100 +Subject: [PATCH] Update bufflen + +Update buflen +--- + login-utils/setpwnam.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c +index 95e470b5a34..7778e98f7cc 100644 +--- a/login-utils/setpwnam.c ++++ b/login-utils/setpwnam.c +@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix) + goto fail; + + namelen = strlen(pwd->pw_name); +- ++ if (namelen > buflen) ++ buflen += namelen; + linebuf = malloc(buflen); + if (!linebuf) + goto fail; diff --git a/util-linux.spec b/util-linux.spec index 3ed25aeba8e07fc4fbbae7edff91b029920415fd..621895ad10ca37a85bc9f03c2c3ffca7ee24df0b 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 Summary: Collection of basic system utilities Name: util-linux @@ -111,6 +111,10 @@ Patch9: 0007-libmount-ifdef-statx-call.patch Patch10: 0008-libmount-improve-EPERM-interpretation.patch # https://github.com/util-linux/util-linux/commit/140404e1fd22705c3a6972378b17af5e5ea87432 Patch11: 0009-column-fix-l.patch +# https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 +Patch12: 0010-bugfix-for-CVE-2025-14104-1.patch +# https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a +Patch13: 0010-bugfix-for-CVE-2025-14104-2.patch %description The util-linux package contains a large variety of low-level system @@ -897,6 +901,9 @@ fi %changelog +* Tue Dec 09 2025 YangCheng - 2.39.1-6 +- Add patch to fix CVE-2025-14104 + * Tue Aug 19 2025 wh02252983 - 2.39.1-5 - backport community patches