7 files changed, 838 insertions, 3 deletions

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 0e85603d9a..7b780352be 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -59,12 +59,13 @@ python util_linux_binpackages () {
                     continue
 
                 pkg = os.path.basename(os.readlink(file))
-                extras[pkg] = extras.get(pkg, '') + ' ' + file.replace(dvar, '', 1)
+                extras.setdefault(pkg, [])
+                extras[pkg].append(file.replace(dvar, '', 1))
 
     pn = d.getVar('PN')
     for pkg, links in extras.items():
         of = d.getVar('FILES_' + pn + '-' + pkg)
-        links = of + links
+        links = of + " " + " ".join(sorted(links))
         d.setVar('FILES_' + pn + '-' + pkg, links)
 }
 
@@ -94,7 +95,7 @@ EXTRA_OECONF = "\
     \
     --disable-bfs --disable-chfn-chsh --disable-login \
     --disable-makeinstall-chown --disable-minix --disable-newgrp \
-    --disable-use-tty-group --disable-vipw \
+    --disable-use-tty-group --disable-vipw --disable-raw \
     \
     --without-udev \
     \
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000000..2b306c435b
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,33 @@
+From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
+ nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-37600
+Upstream-Status: Backport [1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c]
+
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index e784c4dcb..18868cfd3 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+        size_t i;
+ 
+-       if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++       if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+                return;
+ 
+        p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
new file mode 100644
index 0000000000..1dcb66ad1d
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
@@ -0,0 +1,139 @@
+From f3db9bd609494099f0c1b95231c5dfe383346929 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 24 Nov 2021 13:53:25 +0100
+Subject: [PATCH] libmount: fix UID check for FUSE umount [CVE-2021-3995]
+
+Improper UID check allows an unprivileged user to unmount FUSE
+filesystems of users with similar UID.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-3995
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/f3db9bd609494099f0c1b95231c5dfe383346929]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ include/strutils.h            |  2 +-
+ libmount/src/context_umount.c | 14 +++---------
+ libmount/src/mountP.h         |  1 +
+ libmount/src/optstr.c         | 42 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/include/strutils.h b/include/strutils.h
+index 6e95707ea9..a84d29594d 100644
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -91,8 +91,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma
+        if (n + 1 > nmax)
+                n = nmax - 1;
+ 
++       memset(dest, '\0', nmax);
+        memcpy(dest, src, n);
+-       dest[nmax-1] = '\0';
+        return dest;
+ }
+ 
+diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
+index 173637a15a..8773c65ffa 100644
+--- a/libmount/src/context_umount.c
++++ b/libmount/src/context_umount.c
+@@ -393,10 +393,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+        struct libmnt_ns *ns_old;
+        const char *type = mnt_fs_get_fstype(cxt->fs);
+        const char *optstr;
+-       char *user_id = NULL;
+-       size_t sz;
+-       uid_t uid;
+-       char uidstr[sizeof(stringify_value(ULONG_MAX))];
++       uid_t uid, entry_uid;
+ 
+        *errsv = 0;
+ 
+@@ -413,11 +410,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+        optstr = mnt_fs_get_fs_options(cxt->fs);
+        if (!optstr)
+                return 0;
+-
+-       if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
+-               return 0;
+-
+-       if (sz == 0 || user_id == NULL)
++       if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
+                return 0;
+ 
+        /* get current user */
+@@ -434,8 +427,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+                return 0;
+        }
+ 
+-       snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
+-       return strncmp(user_id, uidstr, sz) == 0;
++       return uid == entry_uid;
+ }
+ 
+ /*
+diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
+index d43a835418..22442ec55e 100644
+--- a/libmount/src/mountP.h
++++ b/libmount/src/mountP.h
+@@ -400,6 +400,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
+                             const struct libmnt_optmap **mapent);
+ 
+ /* optstr.c */
++extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
+ extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
+ extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
+ extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
+diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
+index 921b9318e7..16800f571c 100644
+--- a/libmount/src/optstr.c
++++ b/libmount/src/optstr.c
+@@ -1090,6 +1090,48 @@ int mnt_optstr_fix_user(char **optstr)
+        return rc;
+ }
+ 
++/*
++ * Converts value from @optstr addressed by @name to uid.
++ *
++ * Returns: 0 on success, 1 if not found, <0 on error
++ */
++int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
++{
++       char *value = NULL;
++       size_t valsz = 0;
++       char buf[sizeof(stringify_value(UINT64_MAX))];
++       int rc;
++       uint64_t num;
++
++       assert(optstr);
++       assert(name);
++       assert(uid);
++
++       rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
++       if (rc != 0)
++               goto fail;
++
++       if (valsz > sizeof(buf) - 1) {
++               rc = -ERANGE;
++               goto fail;
++       }
++       mem2strcpy(buf, value, valsz, sizeof(buf));
++
++       rc = ul_strtou64(buf, &num, 10);
++       if (rc != 0)
++               goto fail;
++       if (num > ULONG_MAX || (uid_t) num != num) {
++               rc = -ERANGE;
++               goto fail;
++       }
++       *uid = (uid_t) num;
++
++       return 0;
++fail:
++       DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
++       return rc;
++}
++
+ /**
+  * mnt_match_options:
+  * @optstr: options string
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
new file mode 100644
index 0000000000..1610b5a0fe
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
@@ -0,0 +1,226 @@
+From 018a10907fa9885093f6d87401556932c2d8bd2b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 4 Jan 2022 10:54:20 +0100
+Subject: [PATCH] libmount: fix (deleted) suffix issue [CVE-2021-3996]
+
+This issue is related to parsing the /proc/self/mountinfo file allows an
+unprivileged user to unmount other user's filesystems that are either
+world-writable themselves or mounted in a world-writable directory.
+
+The support for "(deleted)" is no more necessary as the Linux kernel does
+not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-3996
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/018a10907fa9885093f6d87401556932c2d8bd2b]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ libmount/src/tab_parse.c                            |  5 -----
+ tests/expected/findmnt/filter-options               |  1 -
+ tests/expected/findmnt/filter-options-nameval-neg   |  3 +--
+ tests/expected/findmnt/filter-types-neg             |  1 -
+ tests/expected/findmnt/outputs-default              |  3 +--
+ tests/expected/findmnt/outputs-force-tree           |  3 +--
+ tests/expected/findmnt/outputs-kernel               |  3 +--
+ tests/expected/libmount/tabdiff-mount               |  1 -
+ tests/expected/libmount/tabdiff-move                |  1 -
+ tests/expected/libmount/tabdiff-remount             |  1 -
+ tests/expected/libmount/tabdiff-umount              |  1 -
+ tests/expected/libmount/tabfiles-parse-mountinfo    | 11 -----------
+ tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 -----------
+ tests/ts/findmnt/files/mountinfo                    |  1 -
+ tests/ts/findmnt/files/mountinfo-nonroot            |  1 -
+ tests/ts/libmount/files/mountinfo                   |  1 -
+ 16 files changed, 4 insertions(+), 44 deletions(-)
+
+diff --git a/libmount/src/tab_parse.c b/libmount/src/tab_parse.c
+index 917779ab6d..4407f9c9c7 100644
+--- a/libmount/src/tab_parse.c
++++ b/libmount/src/tab_parse.c
+@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(struct libmnt_fs *fs, const char *s)
+                goto fail;
+        }
+ 
+-       /* remove "\040(deleted)" suffix */
+-       p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
+-       if (p && *p)
+-               *p = '\0';
+-
+        s = skip_separator(s);
+ 
+        /* (6) vfs options (fs-independent) */
+diff --git a/tests/expected/findmnt/filter-options b/tests/expected/findmnt/filter-options
+index 2606bce76b..97b0ead0ad 100644
+--- a/tests/expected/findmnt/filter-options
++++ b/tests/expected/findmnt/filter-options
+@@ -28,5 +28,4 @@ TARGET                       SOURCE           FSTYPE                OPTIONS
+ /home/kzak/.gvfs             gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs      sunrpc           rpc_pipefs            rw,relatime
+ /mnt/sounds                  //foo.home/bar/  cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo                     /fooooo          bar                   rw,relatime
+ rc=0
+diff --git a/tests/expected/findmnt/filter-options-nameval-neg b/tests/expected/findmnt/filter-options-nameval-neg
+index 5471d65af1..f0467ef755 100644
+--- a/tests/expected/findmnt/filter-options-nameval-neg
++++ b/tests/expected/findmnt/filter-options-nameval-neg
+@@ -29,6 +29,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/filter-types-neg b/tests/expected/findmnt/filter-types-neg
+index 2606bce76b..97b0ead0ad 100644
+--- a/tests/expected/findmnt/filter-types-neg
++++ b/tests/expected/findmnt/filter-types-neg
+@@ -28,5 +28,4 @@ TARGET                       SOURCE           FSTYPE                OPTIONS
+ /home/kzak/.gvfs             gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs      sunrpc           rpc_pipefs            rw,relatime
+ /mnt/sounds                  //foo.home/bar/  cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo                     /fooooo          bar                   rw,relatime
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-default b/tests/expected/findmnt/outputs-default
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-default
++++ b/tests/expected/findmnt/outputs-default
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-force-tree b/tests/expected/findmnt/outputs-force-tree
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-force-tree
++++ b/tests/expected/findmnt/outputs-force-tree
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-kernel b/tests/expected/findmnt/outputs-kernel
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-kernel
++++ b/tests/expected/findmnt/outputs-kernel
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/libmount/tabdiff-mount b/tests/expected/libmount/tabdiff-mount
+index 420aeacd5e..3c18f8dc4f 100644
+--- a/tests/expected/libmount/tabdiff-mount
++++ b/tests/expected/libmount/tabdiff-mount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: MOUNTED
+-/fooooo on /mnt/foo: MOUNTED
+ tmpfs on /mnt/test/foo
bar: MOUNTED
+diff --git a/tests/expected/libmount/tabdiff-move b/tests/expected/libmount/tabdiff-move
+index 24f9bc791b..95820d93ef 100644
+--- a/tests/expected/libmount/tabdiff-move
++++ b/tests/expected/libmount/tabdiff-move
+@@ -1,3 +1,2 @@
+ //foo.home/bar/ on /mnt/music: MOVED to /mnt/music
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabdiff-remount b/tests/expected/libmount/tabdiff-remount
+index 82ebeab390..876bfd9539 100644
+--- a/tests/expected/libmount/tabdiff-remount
++++ b/tests/expected/libmount/tabdiff-remount
+@@ -1,4 +1,3 @@
+ /dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered'
+ //foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344'
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabdiff-umount b/tests/expected/libmount/tabdiff-umount
+index a3e0fe48a1..c7be725b92 100644
+--- a/tests/expected/libmount/tabdiff-umount
++++ b/tests/expected/libmount/tabdiff-umount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: UMOUNTED
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabfiles-parse-mountinfo b/tests/expected/libmount/tabfiles-parse-mountinfo
+index 47eb770061..d5ba5248e4 100644
+--- a/tests/expected/libmount/tabfiles-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-parse-mountinfo
+@@ -351,17 +351,6 @@ id:     47
+ parent: 20
+ devno:  0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root:   /
+-id:     48
+-parent: 20
+-devno:  0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo
bar
+ fstype: tmpfs
+diff --git a/tests/expected/libmount/tabfiles-py-parse-mountinfo b/tests/expected/libmount/tabfiles-py-parse-mountinfo
+index 47eb770061..d5ba5248e4 100644
+--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo
+@@ -351,17 +351,6 @@ id:     47
+ parent: 20
+ devno:  0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root:   /
+-id:     48
+-parent: 20
+-devno:  0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo
bar
+ fstype: tmpfs
+diff --git a/tests/ts/findmnt/files/mountinfo b/tests/ts/findmnt/files/mountinfo
+index 475ea1a337..ff1e664a84 100644
+--- a/tests/ts/findmnt/files/mountinfo
++++ b/tests/ts/findmnt/files/mountinfo
+@@ -30,4 +30,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+diff --git a/tests/ts/findmnt/files/mountinfo-nonroot b/tests/ts/findmnt/files/mountinfo-nonroot
+index e15b467016..87b421d2ef 100644
+--- a/tests/ts/findmnt/files/mountinfo-nonroot
++++ b/tests/ts/findmnt/files/mountinfo-nonroot
+@@ -29,4 +29,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+diff --git a/tests/ts/libmount/files/mountinfo b/tests/ts/libmount/files/mountinfo
+index c063071833..2b01740481 100644
+--- a/tests/ts/libmount/files/mountinfo
++++ b/tests/ts/libmount/files/mountinfo
+@@ -30,5 +30,4 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+ 49 20 0:56 / /mnt/test/foo
bar rw,relatime shared:323 - tmpfs tmpfs rw
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
new file mode 100644
index 0000000000..54b496ea3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
+From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 10 Feb 2022 12:03:17 +0100
+Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
+
+The readline library uses INPUTRC= environment variable to get a path
+to the library config file. When the library cannot parse the
+specified file, it prints an error message containing data from the
+file.
+
+Unfortunately, the library does not use secure_getenv() (or a similar
+concept) to avoid vulnerabilities that could occur if set-user-ID or
+set-group-ID programs.
+
+Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
+
+CVE: CVE-2022-0563
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ login-utils/Makemodule.am |  2 +-
+ login-utils/chfn.c        | 16 +++------------
+ login-utils/chsh.c        | 42 ++-------------------------------------
+ 3 files changed, 6 insertions(+), 54 deletions(-)
+
+diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
+index fac5bfc..73636af 100644
+--- a/login-utils/Makemodule.am
++++ b/login-utils/Makemodule.am
+@@ -82,7 +82,7 @@ chfn_chsh_sources = \
+        login-utils/ch-common.c
+ chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
+ chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
+-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
++chfn_chsh_ldadd = libcommon.la
+ 
+ if CHFN_CHSH_PASSWORD
+ chfn_chsh_ldadd += -lpam
+diff --git a/login-utils/chfn.c b/login-utils/chfn.c
+index b739555..2f8e44a 100644
+--- a/login-utils/chfn.c
++++ b/login-utils/chfn.c
+@@ -56,11 +56,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct finfo {
+        char *full_name;
+        char *office;
+@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question,
+ {
+        int len;
+        char *buf;
+-#ifndef HAVE_LIBREADLINE
+-       size_t dummy = 0;
+-#endif
+ 
+        if (!def_val)
+                def_val = "";
++
+        while (true) {
+                printf("%s [%s]: ", question, def_val);
+                __fpurge(stdin);
+-#ifdef HAVE_LIBREADLINE
+-               rl_bind_key('\t', rl_insert);
+-               if ((buf = readline(NULL)) == NULL)
+-#else
++
+                if (getline(&buf, &dummy, stdin) < 0)
+-#endif
+                        errx(EXIT_FAILURE, _("Aborted."));
++
+                /* remove white spaces from string end */
+                ltrim_whitespace((unsigned char *) buf);
+                len = rtrim_whitespace((unsigned char *) buf);
+diff --git a/login-utils/chsh.c b/login-utils/chsh.c
+index a9ebec8..ee6ff87 100644
+--- a/login-utils/chsh.c
++++ b/login-utils/chsh.c
+@@ -58,11 +58,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct sinfo {
+        char *username;
+        char *shell;
+@@ -121,33 +116,6 @@ static void print_shells(void)
+        endusershell();
+ }
+ 
+-#ifdef HAVE_LIBREADLINE
+-static char *shell_name_generator(const char *text, int state)
+-{
+-       static size_t len;
+-       char *s;
+-
+-       if (!state) {
+-               setusershell();
+-               len = strlen(text);
+-       }
+-
+-       while ((s = getusershell())) {
+-               if (strncmp(s, text, len) == 0)
+-                       return xstrdup(s);
+-       }
+-       return NULL;
+-}
+-
+-static char **shell_name_completion(const char *text,
+-                                   int start __attribute__((__unused__)),
+-                                   int end __attribute__((__unused__)))
+-{
+-       rl_attempted_completion_over = 1;
+-       return rl_completion_matches(text, shell_name_generator);
+-}
+-#endif
+-
+ /*
+  *  parse_argv () --
+  *     parse the command line arguments, and fill in "pinfo" with any
+@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell)
+ {
+        int len;
+        char *ans = NULL;
+-#ifdef HAVE_LIBREADLINE
+-       rl_attempted_completion_function = shell_name_completion;
+-#else
+        size_t dummy = 0;
+-#endif
++
+        if (!oldshell)
+                oldshell = "";
+        printf("%s [%s]\n", question, oldshell);
+-#ifdef HAVE_LIBREADLINE
+-       if ((ans = readline("> ")) == NULL)
+-#else
+        if (getline(&ans, &dummy, stdin) < 0)
+-#endif
+                return NULL;
++
+        /* remove the newline at the end of ans. */
+        ltrim_whitespace((unsigned char *) ans);
+        len = rtrim_whitespace((unsigned char *) ans);
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
new file mode 100644
index 0000000000..5d5a370821
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
@@ -0,0 +1,270 @@
+From 84825b161ba5d18da4142893b9789b3fc71284d9 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 22 Jun 2021 14:20:42 +0200
+Subject: [PATCH] include/strutils: cleanup strto..() functions
+
+* add ul_strtos64() and ul_strtou64()
+* add simple test
+
+Addresses: https://github.com/karelzak/util-linux/issues/1358
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-Backport: [https://github.com/util-linux/util-linux/commit/84825b161ba5d18da4142893b9789b3fc71284d9]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ include/strutils.h |   3 +
+ lib/strutils.c     | 174 ++++++++++++++++++++++++++-------------------
+ 2 files changed, 105 insertions(+), 72 deletions(-)
+
+diff --git a/include/strutils.h b/include/strutils.h
+index e75a2f0e17..389e849905 100644
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -19,6 +19,9 @@ extern int parse_size(const char *str, uintmax_t *res, int *power);
+ extern int strtosize(const char *str, uintmax_t *res);
+ extern uintmax_t strtosize_or_err(const char *str, const char *errmesg);
+ 
++extern int ul_strtos64(const char *str, int64_t *num, int base);
++extern int ul_strtou64(const char *str, uint64_t *num, int base);
++
+ extern int16_t strtos16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtou16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtox16_or_err(const char *str, const char *errmesg);
+diff --git a/lib/strutils.c b/lib/strutils.c
+index ee2c835495..d9976dca70 100644
+--- a/lib/strutils.c
++++ b/lib/strutils.c
+@@ -319,39 +319,80 @@ char *strndup(const char *s, size_t n)
+ }
+ #endif
+ 
+-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base);
+-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base);
++/*
++ * convert strings to numbers; returns <0 on error, and 0 on success
++ */
++int ul_strtos64(const char *str, int64_t *num, int base)
++{
++       char *end = NULL;
+ 
+-int16_t strtos16_or_err(const char *str, const char *errmesg)
++       errno = 0;
++       if (str == NULL || *str == '\0')
++               return -EINVAL;
++       *num = (int64_t) strtoimax(str, &end, base);
++
++       if (errno || str == end || (end && *end))
++               return -EINVAL;
++       return 0;
++}
++
++int ul_strtou64(const char *str, uint64_t *num, int base)
+ {
+-       int32_t num = strtos32_or_err(str, errmesg);
++       char *end = NULL;
+ 
+-       if (num < INT16_MIN || num > INT16_MAX) {
+-               errno = ERANGE;
+-               err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-       }
+-       return num;
++       errno = 0;
++       if (str == NULL || *str == '\0')
++               return -EINVAL;
++       *num = (uint64_t) strtoumax(str, &end, base);
++
++       if (errno || str == end || (end && *end))
++               return -EINVAL;
++       return 0;
+ }
+ 
+-static uint16_t _strtou16_or_err(const char *str, const char *errmesg, int base)
++/*
++ * Covert strings to numbers and print message on error.
++ *
++ * Note that hex functions (strtox..()) returns unsigned numbers, if you need
++ * something else then use ul_strtos64(s, &n, 16).
++ */
++int64_t strtos64_or_err(const char *str, const char *errmesg)
+ {
+-       uint32_t num = _strtou32_or_err(str, errmesg, base);
++       int64_t num = 0;
+ 
+-       if (num > UINT16_MAX) {
+-               errno = ERANGE;
+-               err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       if (ul_strtos64(str, &num, 10) != 0) {
++               if (errno == ERANGE)
++                       err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++               errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+        }
+        return num;
+ }
+ 
+-uint16_t strtou16_or_err(const char *str, const char *errmesg)
++uint64_t strtou64_or_err(const char *str, const char *errmesg)
+ {
+-       return _strtou16_or_err(str, errmesg, 10);
++       uint64_t num = 0;
++
++       if (ul_strtou64(str, &num, 10)) {
++               if (errno == ERANGE)
++                       err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++               errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+-uint16_t strtox16_or_err(const char *str, const char *errmesg)
++uint64_t strtox64_or_err(const char *str, const char *errmesg)
+ {
+-       return _strtou16_or_err(str, errmesg, 16);
++       uint64_t num = 0;
++
++       if (ul_strtou64(str, &num, 16)) {
++               if (errno == ERANGE)
++                       err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++               errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+ int32_t strtos32_or_err(const char *str, const char *errmesg)
+@@ -365,9 +406,9 @@ int32_t strtos32_or_err(const char *str, const char *errmesg)
+        return num;
+ }
+ 
+-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
++uint32_t strtou32_or_err(const char *str, const char *errmesg)
+ {
+-       uint64_t num = _strtou64_or_err(str, errmesg, base);
++       uint64_t num = strtou64_or_err(str, errmesg);
+ 
+        if (num > UINT32_MAX) {
+                errno = ERANGE;
+@@ -376,66 +417,48 @@ static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
+        return num;
+ }
+ 
+-uint32_t strtou32_or_err(const char *str, const char *errmesg)
+-{
+-       return _strtou32_or_err(str, errmesg, 10);
+-}
+-
+ uint32_t strtox32_or_err(const char *str, const char *errmesg)
+ {
+-       return _strtou32_or_err(str, errmesg, 16);
++       uint64_t num = strtox64_or_err(str, errmesg);
++
++       if (num > UINT32_MAX) {
++               errno = ERANGE;
++               err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+-int64_t strtos64_or_err(const char *str, const char *errmesg)
++int16_t strtos16_or_err(const char *str, const char *errmesg)
+ {
+-       int64_t num;
+-       char *end = NULL;
+-
+-       errno = 0;
+-       if (str == NULL || *str == '\0')
+-               goto err;
+-       num = strtoimax(str, &end, 10);
+-
+-       if (errno || str == end || (end && *end))
+-               goto err;
++       int64_t num = strtos64_or_err(str, errmesg);
+ 
+-       return num;
+-err:
+-       if (errno == ERANGE)
++       if (num < INT16_MIN || num > INT16_MAX) {
++               errno = ERANGE;
+                err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-
+-       errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base)
++uint16_t strtou16_or_err(const char *str, const char *errmesg)
+ {
+-       uintmax_t num;
+-       char *end = NULL;
+-
+-       errno = 0;
+-       if (str == NULL || *str == '\0')
+-               goto err;
+-       num = strtoumax(str, &end, base);
+-
+-       if (errno || str == end || (end && *end))
+-               goto err;
++       uint64_t num = strtou64_or_err(str, errmesg);
+ 
+-       return num;
+-err:
+-       if (errno == ERANGE)
++       if (num > UINT16_MAX) {
++               errno = ERANGE;
+                err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-
+-       errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+-uint64_t strtou64_or_err(const char *str, const char *errmesg)
++uint16_t strtox16_or_err(const char *str, const char *errmesg)
+ {
+-       return _strtou64_or_err(str, errmesg, 10);
+-}
++       uint64_t num = strtox64_or_err(str, errmesg);
+ 
+-uint64_t strtox64_or_err(const char *str, const char *errmesg)
+-{
+-       return _strtou64_or_err(str, errmesg, 16);
++       if (num > UINT16_MAX) {
++               errno = ERANGE;
++               err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++       }
++       return num;
+ }
+ 
+ double strtod_or_err(const char *str, const char *errmesg)
+@@ -1051,15 +1051,25 @@ static int test_strutils_cmp_paths(int a
+ 
+ int main(int argc, char *argv[])
+ {
+-       if (argc == 3 && strcmp(argv[1], "--size") == 0)
++       if (argc == 3 && strcmp(argv[1], "--size") == 0) {
+                return test_strutils_sizes(argc - 1, argv + 1);
+ 
+-       else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0)
++       } else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0) {
+                return test_strutils_cmp_paths(argc - 1, argv + 1);
+ 
++       } else if (argc == 3 && strcmp(argv[1], "--str2num") == 0) {
++               uint64_t n;
++
++               if (ul_strtou64(argv[2], &n, 10) == 0) {
++                       printf("'%s' --> %ju\n", argv[2], (uintmax_t) n);
++                       return EXIT_SUCCESS;
++               }
++       }
++
+        else {
+                fprintf(stderr, "usage: %1$s --size <number>[suffix]\n"
+-                               "       %1$s --cmp-paths <path> <path>\n",
++                               "       %1$s --cmp-paths <path> <path>\n"
++                               "       %1$s --num2num <str>\n",
+                                argv[0]);
+                exit(EXIT_FAILURE);
+        }
diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
index 516b783887..89dc564ecb 100644
--- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -11,6 +11,11 @@ SRC_URI += "file://configure-sbindir.patch \
             file://0001-libfdisk-script-accept-sector-size-ignore-unknown-he.patch \
             file://0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch \
             file://0001-include-cleanup-pidfd-inckudes.patch \
+            file://CVE-2021-37600.patch \
+            file://include-strutils-cleanup-strto-functions.patch \
+            file://CVE-2021-3995.patch \
+            file://CVE-2021-3996.patch \
+            file://CVE-2022-0563.patch \
 "
 SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
 SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"