@@ -47,6 +47,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://CVE-2025-14104-01.patch \
file://CVE-2025-14104-02.patch \
file://CVE-2026-27456.patch \
+ file://CVE-2026-3184.patch \
"
SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
new file mode 100644
@@ -0,0 +1,63 @@
+From bbd20203765f3d705d45b2f51201041ed94fc3a3 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Feb 2026 12:20:28 +0100
+Subject: [PATCH] login: use original FQDN for PAM_RHOST
+
+When login -h <remotehost> is invoked, init_remote_info() strips the
+local domain suffix from the hostname (FQDN to short name) before
+storing it in cxt->hostname. This truncated value is then used for
+PAM_RHOST, which can bypass pam_access host deny rules that match on
+the FQDN.
+
+Preserve the original -h hostname in a new cmd_hostname field and use
+it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
+and logging unchanged.
+
+Note, the real-world impact is low -- login -h is only used by legacy
+telnet/rlogin daemons, and exploitation requires FQDN-specific
+pam_access rules on a system still using these obsolete services.
+
+CVE: CVE-2026-3184
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984]
+
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 8b29aeb081e297e48c4c1ac53d88ae07e1331984)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ login-utils/login.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/login.c b/login-utils/login.c
+index 1812b9017..211968f30 100644
+--- a/login-utils/login.c
++++ b/login-utils/login.c
+@@ -127,6 +127,7 @@ struct login_context {
+ char *thishost; /* this machine */
+ char *thisdomain; /* this machine's domain */
+ char *hostname; /* remote machine */
++ char *cmd_hostname; /* remote machine as specified on command line */
+ char hostaddress[16]; /* remote address */
+
+ pid_t pid;
+@@ -894,7 +895,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
+
+ /* hostname & tty are either set to NULL or their correct values,
+ * depending on how much we know. */
+- rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
++ rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
+ if (is_pam_failure(rc))
+ loginpam_err(pamh, rc);
+
+@@ -1231,6 +1232,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost)
+
+ get_thishost(cxt, &domain);
+
++ cxt->cmd_hostname = xstrdup(remotehost);
++
+ if (domain && (p = strchr(remotehost, '.')) &&
+ strcasecmp(p + 1, domain) == 0)
+ *p = '\0';
+--
+2.43.0
+