3 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index d506783f9a..48520ef951 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -40,6 +40,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
           file://avoid_parallel_tests.patch \
           file://0001-login-utils-include-libgen.h-for-basename-API.patch \
           file://fcntl-lock.c \
+           file://CVE-2024-28085-0001.patch \
+           file://CVE-2024-28085-0002.patch \
           "
 SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
new file mode 100644
index 0000000000..af39931b3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,36 @@
+From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 17 Jan 2024 12:37:08 +0100
+Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args]
+term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
+  143 |         buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
+      |                                     ^
+term-utils/wall.c:143:37: note: earlier argument should specify number of elements, later size of each element
+Signed-off-by: Karel Zak <kzak@redhat.com>
+CVE: CVE-2024-28085
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 377db45..85c006a 100644
+--- a/term-utils/wall.c
+++ b/term-utils/wall.c
+@@ -135,7 +135,7 @@ static struct group_workspace *init_group_workspace(const char *group)
+        buf->requested_group = get_group_gid(group);
+        buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1;  /* room for the primary gid */
+-       buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
+       buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups));
+        return buf;
+ }
+--
+2.40.0
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
new file mode 100644
index 0000000000..a2b914d580
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
@@ -0,0 +1,34 @@
+From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 21 Mar 2024 11:16:20 +0100
+Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
+Let's use for all cases the same output function.
+Reported-by: Skyler Ferrante <sjf5462@rit.edu>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+CVE: CVE-2024-28085
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 85c006a..0212c03 100644
+--- a/term-utils/wall.c
+++ b/term-utils/wall.c
+@@ -328,7 +328,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+                int i;
+                for (i = 0; i < mvecsz; i++) {
+-                       fputs(mvec[i], fs);
+                       fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
+                        if (i < mvecsz - 1)
+                                fputc(' ', fs);
+                }
+--
+2.40.0

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index d506783f9a..48520ef951 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -40,6 +40,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
40	file://avoid_parallel_tests.patch \	40	file://avoid_parallel_tests.patch \
41	file://0001-login-utils-include-libgen.h-for-basename-API.patch \	41	file://0001-login-utils-include-libgen.h-for-basename-API.patch \
42	file://fcntl-lock.c \	42	file://fcntl-lock.c \
		43	file://CVE-2024-28085-0001.patch \
		44	file://CVE-2024-28085-0002.patch \
43	"	45	"
44		46
45	SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"	47	SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch new file mode 100644 index 0000000000..af39931b3f --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,36 @@
		1	From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Wed, 17 Jan 2024 12:37:08 +0100
		4	Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args]
		5
		6	term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
		7	143 \| buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
		8	\| ^
		9	term-utils/wall.c:143:37: note: earlier argument should specify number of elements, later size of each element
		10
		11	Signed-off-by: Karel Zak <kzak@redhat.com>
		12
		13	CVE: CVE-2024-28085
		14
		15	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b]
		16
		17	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		18	---
		19	term-utils/wall.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/term-utils/wall.c b/term-utils/wall.c
		23	index 377db45..85c006a 100644
		24	--- a/term-utils/wall.c
		25	+++ b/term-utils/wall.c
		26	@@ -135,7 +135,7 @@ static struct group_workspace init_group_workspace(const char group)
		27
		28	buf->requested_group = get_group_gid(group);
		29	buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1; /* room for the primary gid */
		30	- buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
		31	+ buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups));
		32
		33	return buf;
		34	}
		35	--
		36	2.40.0


diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch new file mode 100644 index 0000000000..a2b914d580 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
@@ -0,0 +1,34 @@
		1	From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Thu, 21 Mar 2024 11:16:20 +0100
		4	Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
		5
		6	Let's use for all cases the same output function.
		7
		8	Reported-by: Skyler Ferrante <sjf5462@rit.edu>
		9	Signed-off-by: Karel Zak <kzak@redhat.com>
		10
		11	CVE: CVE-2024-28085
		12
		13	Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253]
		14
		15	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		16	---
		17	term-utils/wall.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/term-utils/wall.c b/term-utils/wall.c
		21	index 85c006a..0212c03 100644
		22	--- a/term-utils/wall.c
		23	+++ b/term-utils/wall.c
		24	@@ -328,7 +328,7 @@ static char makemsg(char fname, char **mvec, int mvecsz,
		25	int i;
		26
		27	for (i = 0; i < mvecsz; i++) {
		28	- fputs(mvec[i], fs);
		29	+ fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
		30	if (i < mvecsz - 1)
		31	fputc(' ', fs);
		32	}
		33	--
		34	2.40.0