util-linux: patch CVE-2025-14104

Pick patches per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-14104 (From OE-Core rev: 8f7f1562f6cba3b67cc4301702c03ab31551a155) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-12-30 21:54:20 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:49:25 +0000
commit: 0736fb2025a2b9cf0796420e82a7ef206b137705 (patch)
tree: 4107681868c86528e6d324289fb663e41889fcc2
parent: c942cdb0572ab065a13424aa7482404269ff9554 (diff)
download: poky-0736fb2025a2b9cf0796420e82a7ef206b137705.tar.gz
3 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index c62c6d70c3..a8b505a122 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -42,6 +42,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
           file://CVE-2024-28085-0004.patch \
           file://CVE-2024-28085-0005.patch \
           file://fstab-isolation.patch \
+           file://CVE-2025-14104-01.patch \
+           file://CVE-2025-14104-02.patch \
           "
 SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
new file mode 100644
index 0000000000..23677345c9
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
@@ -0,0 +1,33 @@
+From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Sat, 24 May 2025 03:16:09 +0100
+Subject: [PATCH] Update setpwnam.c
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..95e470b5a 100644
+--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
+@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+                }
+ 
+                /* Is this the username we were sent to change? */
+-               if (!found && linebuf[namelen] == ':' &&
+-                   !strncmp(linebuf, pwd->pw_name, namelen)) {
+-                       /* Yes! So go forth in the name of the Lord and
+-                        * change it!  */
+               if (!found &&
+                   strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
+                   strlen(linebuf) > namelen &&
+                   linebuf[namelen] == ':') {
+                       /* Yes! But this time let’s not walk past the end of the buffer
+                        * in the name of the Lord, SUID, or anything else. */
+                        if (putpwent(pwd, fp) < 0)
+                                goto fail;
+                        found = 1;
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
new file mode 100644
index 0000000000..9d21db2743
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
@@ -0,0 +1,28 @@
+From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Mon, 26 May 2025 10:06:02 +0100
+Subject: [PATCH] Update bufflen
+Update buflen
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 95e470b5a..7778e98f7 100644
+--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+                goto fail;
+ 
+        namelen = strlen(pwd->pw_name);
+-
+       if (namelen > buflen)
+               buflen += namelen;
+        linebuf = malloc(buflen);
+        if (!linebuf)
+                goto fail;
author	Peter Marko <peter.marko@siemens.com>	2025-12-30 21:54:20 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:49:25 +0000
commit	0736fb2025a2b9cf0796420e82a7ef206b137705 (patch)
tree	4107681868c86528e6d324289fb663e41889fcc2
parent	c942cdb0572ab065a13424aa7482404269ff9554 (diff)
download	poky-0736fb2025a2b9cf0796420e82a7ef206b137705.tar.gz

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index c62c6d70c3..a8b505a122 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -42,6 +42,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
42	file://CVE-2024-28085-0004.patch \	42	file://CVE-2024-28085-0004.patch \
43	file://CVE-2024-28085-0005.patch \	43	file://CVE-2024-28085-0005.patch \
44	file://fstab-isolation.patch \	44	file://fstab-isolation.patch \
		45	file://CVE-2025-14104-01.patch \
		46	file://CVE-2025-14104-02.patch \
45	"	47	"
46		48
47	SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"	49	SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch new file mode 100644 index 0000000000..23677345c9 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
@@ -0,0 +1,33 @@
		1	From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001
		2	From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
		3	Date: Sat, 24 May 2025 03:16:09 +0100
		4	Subject: [PATCH] Update setpwnam.c
		5
		6	CVE: CVE-2025-14104
		7	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	login-utils/setpwnam.c \| 10 ++++++----
		11	1 file changed, 6 insertions(+), 4 deletions(-)
		12
		13	diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
		14	index 3e3c1abde..95e470b5a 100644
		15	--- a/login-utils/setpwnam.c
		16	+++ b/login-utils/setpwnam.c
		17	@@ -126,10 +126,12 @@ int setpwnam(struct passwd pwd, const char prefix)
		18	}
		19
		20	/* Is this the username we were sent to change? */
		21	- if (!found && linebuf[namelen] == ':' &&
		22	- !strncmp(linebuf, pwd->pw_name, namelen)) {
		23	- /* Yes! So go forth in the name of the Lord and
		24	- * change it! */
		25	+ if (!found &&
		26	+ strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
		27	+ strlen(linebuf) > namelen &&
		28	+ linebuf[namelen] == ':') {
		29	+ /* Yes! But this time let’s not walk past the end of the buffer
		30	+ * in the name of the Lord, SUID, or anything else. */
		31	if (putpwent(pwd, fp) < 0)
		32	goto fail;
		33	found = 1;


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch new file mode 100644 index 0000000000..9d21db2743 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
@@ -0,0 +1,28 @@
		1	From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001
		2	From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
		3	Date: Mon, 26 May 2025 10:06:02 +0100
		4	Subject: [PATCH] Update bufflen
		5
		6	Update buflen
		7
		8	CVE: CVE-2025-14104
		9	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	login-utils/setpwnam.c \| 3 ++-
		13	1 file changed, 2 insertions(+), 1 deletion(-)
		14
		15	diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
		16	index 95e470b5a..7778e98f7 100644
		17	--- a/login-utils/setpwnam.c
		18	+++ b/login-utils/setpwnam.c
		19	@@ -99,7 +99,8 @@ int setpwnam(struct passwd pwd, const char prefix)
		20	goto fail;
		21
		22	namelen = strlen(pwd->pw_name);
		23	-
		24	+ if (namelen > buflen)
		25	+ buflen += namelen;
		26	linebuf = malloc(buflen);
		27	if (!linebuf)
		28	goto fail;