From patchwork Wed May 20 10:59:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88529 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54023CD4F54 for ; Wed, 20 May 2026 11:00:50 +0000 (UTC) Received: from mx-relay158-hz1-if1.hornetsecurity.com (mx-relay158-hz1-if1.hornetsecurity.com [94.100.128.168]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9617.1779274842132954977 for ; Wed, 20 May 2026 04:00:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=AzeC3r5t; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.168, mailfrom: hsimeliere@witekio.com) Received: from mail-northeuropeazon11021075.outbound.protection.outlook.com ([52.101.65.75]) by mx-gate158-hz1; Wed, 20 May 2026 13:00:35 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ekGyQAVW56iLzz9BiG73su6I18ebj8VhDX5aHlPuUp8aRboMXGu12uzU7qfDK4p2kcJtV7mSmg415gzpBev1VIKzTiToqZmZQiAEW7f/aFGvF8zrveRwwXG72sAroHNxbVyzobn9wV195bave19IF8Zza1y7NDujOinsl26mJ7Os1mUR+/uyA/TtTek7i41J2kyVuScLhPBGZfvXeuCaAzNWpmobwbLlG8ghSo0OwPT6Bsg/QTNxRnkiS6DnOQX0LERtVX61IR45o/nyWHgj/baCEa2Bc2cbbEjoKttGEdPtMlVNDCXwUvnV8/8r/5HGIQY36s0YH5tsdcHVOSdf5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vUWVfYj6yxL9vKF+GhW5henuuuDbgAMVJNrRgnZhJXg=; b=FkRG+PL2BhlXzm0pwNpT+7xJCQlBFKvV6R1mi4sYnMtFhHTWc1i7VHyAyDAm/3u3ZxqkkI0YP4hf2canKmtPdqycXF6L3VwXLZBTNZVA98oRqbilg+73YkD4TgbsMSF71elHZBdsjZQPIn4Y1uwo7wufZ3OjeHRrqQz2SS5MMzB/qkg4N8Ncdj9+Zwcws9udH1lrm+vUB5Xsyv+50n1oNZ8ehsjUbTzgcVGZVCcEyUuGlXqDfAh6PhMmqBBK87rE2Ehj1zkrsWFEHWytrOVkQOACTutvYcOPQfh1UzPPiH5jXGfUJWxfxAugnGnm9dNseFN4B60ufbyIVb87nudiVg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vUWVfYj6yxL9vKF+GhW5henuuuDbgAMVJNrRgnZhJXg=; b=AzeC3r5tgw5HS47+XC8Lf5m37SUxbndQ/NR84/eswujcQtZD4zWXXvo+ynJyvCjrEji07a7no9vhXSZEvC/xVfPo3wNsdCSI0nmnWgJ6zuXFRKGgYaoxFoo0o4iwoH4nj+07+0TLfTDfJUqyiUMGsC3acyAj/F1S/8zwRQYU3x24jAv15BV7F/Y6hT+MFx3DrE+xnr3GI6rtRONG6UbnriQD7Zat0hSSMxZrIO00kuvufnRpNx6m4vRfGAD+ORubNv6s9llvO84F4NFaxSyorwXEHW4MoW/Xi/UEW8XdrAScuB3O6e4F+3CYqkQP6YFr+kjT5AqS88DjODPRFa1F/A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by VE1P192MB0736.EURP192.PROD.OUTLOOK.COM (2603:10a6:800:14a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 11:00:09 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 11:00:09 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 1/2] util-linux: Fix CVE-2026-27456 Date: Wed, 20 May 2026 12:59:58 +0200 Message-ID: <20260520105959.3115597-1-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO4P265CA0074.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2bd::13) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|VE1P192MB0736:EE_ X-MS-Office365-Filtering-Correlation-Id: 1718253d-e20b-428c-581f-08deb65ef564 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|52116014|376014|1800799024|366016|13003099007|56012099003|18002099003; X-Microsoft-Antispam-Message-Info: 8VBcSUyeIrI5ydrFrlE2V6tu/HiJNeEZLgs2olBuUuRFDFrHen+A28vE+VfFYHKWA1ROpPVfaD2MfjMe+zFZenwXuPrciCLY3B9Xo5DeBsfXESMBnUPq7nZVYH7tQqAxX1iMiTdVo8cVcdBAKJJ3+9YAa7+XVYyJ/p/ivPMIhAkzv2jaau99KtxeaK7TzFn8wTUHpngNSMcP5eF9X9MB1An0eJUmpPKLxXR7AoUjmhmSwgVYjh5+iUaa5hJhs0X36354jNlratkP3RebxRtXEAFWEf3PdfV2MuyEYzNk2AMTPuMdVgmWh7TvdNVHMGKHtDBbAfWsL90j+SlwH6kMYgtwyi+DE4Ls9VoXZvq/lathBvqviIhmSH3uhIe9CdM32rg2nrtoBw2t7gS7nbNlRx2y7z2zmLRE2FP0mbiA6ezeWnd6boh3EkyMabfk8RlvZhyp6fXpxDxZarTfNBKgzEdg3KrEACrAUnF2tG/CtH9Lvyrn0YWVfwivYCVMk/2kWP13w5B7uiPAQ1qIyVa+Z6LgdHAuuF+394lQRmy8K2y9p/Fg06gD+AM+X3qH6PHTq8PpeZHQzQ5AuYgwv3LZIZup8ks4EhS0nm7tDrwMVZakJ9Rkdk6lbWIJyZ8mAWLQ5nvhYaWCmJHNaVa/fHjuTdaisbS+Biim0kI+YXcHAh/x2Jxh25I6/4DRxTWvyuDZGnPqsWrcZYkkVFrmq2yOKA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(52116014)(376014)(1800799024)(366016)(13003099007)(56012099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: 7vr/WchAEvaYzQs85nN9SBEMGJ2GR72umOgydgdkRDTsyvCMss2OIIxiYKy+HXIFu7Kzde7zu5b+8ciTxOp8qjBaDpHr0WHdcv1ecw4w30lNBmi0rsReRPLCZZTSCbmJPuprfwzYBC5HC9DBMBpfm65PTcIERORykIxASsC1rdVG9ZcjR7MR7rpAxFigAl7RUMGsrkECsks/0kI+7bXRbBICdekkt7s7zfJ5DyxIdatqea67W2mW4YPzUio5T7gXOLYhqsbKyscwujAii4mSnRSKloKdbI/T3BBEjaq4TrlIYrlyvY5DfW3ATLfQcSCZkoxGgXr7+q/XVHQFZihUG94Yz/HHecd7ykRmBB9zGP8P56z6taBtJPpSs9UuFYB9fXq2ub+O+tHQxbZhvrV7/It/HzCVF2ppnyCipTCxHa0XxYWS+WLDD26rJ0XIHzT5mar/fCBBceFfPtbIrPiGTOn0gl8Uq0lkQQaaQ3hmwDd+l4Ub2BdOMwtvYfyr+1bXzShsVGgssuE5UuZe8ApSdfuUCPcQhltTlwbfmFg3bIilEp93KWa1K5pd795HUa7N7tAoRz0f+trqm9FwujAkyu4bYwZZe938nFEYYsv6QWL24OxVWMjoetr1r9t2rj9T7+yQjceP9QNOjEZqCKZnJxtXjFESlvd9cM+8P7YwCDMrfe29Wk+mu63FVLA2nZQrh0Zr28Nsg2KmIsmrcKsYA1yJZCU2rABjJM4B5PA8J3OeWesxBcnUAOfsKqFtSU3uwfPzicHt3EMV0q4CT2YkIPBfVURANIwuK0n/KLlZtoCfvDWeYKBCAq4MNwk/nL+0ySz3fB69KmVRYdQDfh1A1vnk6WDFnVloT2KRZ+s3z9WczYVE7JuHhHvCV2ANFMKjwmo1rsiNGuBUCMqkYVYQVLU+a7c4NWHGlfV4YMJM2ci3XUSFYCOEVdSLKptrIxOgG55qnvS1cTPlo/eMQNavWrVOrJMJnPf/o+onV00gUDFFULL4MjE77raS3CpA7grTSVZVVHpx87Bnbxi6Jesvr6+xeYRAczv+erL7xrBwcVrJoEjphUXSKqm9qjHimdJoI9DPLxpQduU9w3pV4sGc4UD5ywkE3NyhNgMg0fCUGCZ1TsOGNawX0hgHInCN9iKddUXL0YPwe5RGreh3+HZdICKGbqgcsbjzb/puaEy2OzT3k+IJjFc5UHnoehgE6PeUGO01drC2rX8fkvQBLVY2YbsMHCsRJTMaBuxPYXBBW3HyFE3/B9d77vBeZcUZ/YNxdVxC3KOB4EPRHWpouLmaLPwx9V4SG7fUDvs3gjT6A/k2IT2yRoz6Ogi1XwHUrn3IVS75PMuQfScWMxrNa1iXHxzbC3EHUZvHifitXIMNFwH3PcTMuK//YTgBbCGmuJuFbMaRpXjXHUBGlP8QEoM1HX3Hy9Fus3zmUMhz03wxT4ildHjmO9u7PsZXUXtXZeLHXpRUlykmT0vUoV2Dd5vxZbNtXbIGP4o5La2YCqt4RpzzuHBXShKZiJje3Kh4SrR/9NbWs1WniM/ezvQcDCE/oQuq4ywqmtcTP1HU32uOtBA1Gq6q7xfB+c5WJmtMKnPTz1yxKSDvfIS2fY1wgjvVabOpG6PSJDsNZj1g7fgkTGM7efhNIaKA6WHlDqk3LOUAP2h6OXMkN72SAS/oIaiVlUxtfc1cYdtz3q28s19epvNne96w1IVHR1yGzf+2R+xLGT4CTJ0nw7VMoL5lAHUTkihd4QpAgLv2fnGq8yxnZTTPutxQooJqCtAtsfPz0HLamj3lBZ9f X-MS-Exchange-AntiSpam-MessageData-1: R1efK1DfeTjTUg== X-Exchange-RoutingPolicyChecked: a6HtkRZMgW8alFFEVVJYoVaXiEaaRcPuEqwmNh4UAxVgauxDIC8PWmNGtuKsdLR3dGfEtd0hJXz1MlKm4N58yucw7bGQ8LOWOkkmNDadk1GLgBZr/5+MHV3AozJezkra84TKpclVlfteTNztrzMqoPAPaWfUd4v6FAR4JLnV4p3bPZLPciSwyZRaanUHaQrviw7gG96vB4t2vF1xOVnGo/ZQSUnOLC2ShIxz3T4U+ETI6aI4xK/xSmL8pV1ucL2YbigBHjpOgL09CaiPpTjY9qeBNEQPrA54u9Tj4t/Ct7vCm6Tv1noJ6Vg0PgP3EfteDzULfDXy2RWysTQqbV4W+g== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 9YyLs1ja3tefH2sfPMrpzOqL+3xCv8R2kzecQyhJE0QXoyqMO0mzI6/QcKPqRUJ/r1jBWTEEz0LqSiq7SzPstSkTFHHVDD7eJn8RRmQu3qS3b17C2yY6JWh1zm5g1WzaSEs8sPIozKpfJIyX7JCQxrE4V6902+lVjCnEx2rwI7n8recRi6Ntg0VJ2rscaUJyRh0pIttVWs1o4L4lK/uGCflnTHYlMdHxnz096TZqFE3sUiLsNbeRJLiV/O6JCpMXlH3NXAidKW87Oii/DURaExojW8IqSCVQ5AqS8Udecda3F7V9kYcXz+A9/EZxB3pPw1HSIumXC1nEDNA2OdiCA1k9/3OVpr3qNsCJ+i1cMEBxHkgAdBuAhcqclnciez6F7FLyvG7LOJ5hqbldkvN7b2sIkT8Y4KWWZDdDP2GWMdv3/quThUSL6oFTQaY4tYozv1haAGnTDaTBIbO3l9rqCAJgp+iloU4SsDwEFl6XhjIu+Bn/wkj96kq7msOvyaIugNd/sxNbA4byXS27YLiVV467VGxYL8kUDDOdwXkeF9IxghiRqXbh+eFbTXR+8Kc7IaRlSbF2QRElv/aRC+eXFOmorlJQzJOTxSXY326nhOXbOXDCd4bWu3BX/ob+F5LM X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1718253d-e20b-428c-581f-08deb65ef564 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 11:00:09.4333 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XudGPtmMVCUTf/x5QR+zfuSRteM8YNDHalN3GJuOxWeVIEFkSvj1fBJvVEp6hePZJGXM4KGtyhHBNYav6DvFWA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1P192MB0736 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate158-hz1 with 4gL7qJ3zfKz1X3mL X-cloud-security-connect: mail-northeuropeazon11021075.outbound.protection.outlook.com[52.101.65.75], TLS=1, IP=52.101.65.75 X-cloud-security-Digest: 0ab3ef9b6d89e5a1aa3dbfea924cdf7b X-cloud-security: scantime:6.771 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 11:00:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237446 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as 2.39.x upstream backport of [2] mentioned in Debian report in [3]. [1] https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30 [2] https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972 [3] https://security-tracker.debian.org/tracker/CVE-2026-27456 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/CVE-2026-27456.patch | 115 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 4797682c5d..8380419634 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -46,6 +46,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://sys-utils-hwclock-rtc-fix-pointer-usage.patch \ file://CVE-2025-14104-01.patch \ file://CVE-2025-14104-02.patch \ + file://CVE-2026-27456.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch new file mode 100644 index 0000000000..4a5fef26d3 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch @@ -0,0 +1,115 @@ +From af0b619f8eb15f738c69e33e0bb3a794e9cccf17 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 19 Feb 2026 13:59:46 +0100 +Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks + +Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that +prevents symlink following in both path canonicalization and file open. + +When set: +- loopcxt_set_backing_file() uses strdup() instead of + ul_canonicalize_path() (which calls realpath() and follows symlinks) +- loopcxt_setup_device() adds O_NOFOLLOW to open() flags + +The flag is set for non-root (restricted) mount operations in +libmount's loop device hook. This prevents a TOCTOU race condition +where an attacker could replace the backing file (specified in +/etc/fstab) with a symlink to an arbitrary root-owned file between +path resolution and open(). + +Vulnerable Code Flow: + + mount /mnt/point (non-root, SUID) + mount.c: sanitize_paths() on user args (mountpoint only) + mnt_context_mount() + mnt_context_prepare_mount() + mnt_context_apply_fstab() <-- source path from fstab + hooks run at MNT_STAGE_PREP_SOURCE + hook_loopdev.c: setup_loopdev() + backing_file = fstab source path ("/home/user/disk.img") + loopcxt_set_backing_file() <-- calls realpath() as ROOT + ul_canonicalize_path() <-- follows symlinks! + loopcxt_setup_device() + open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW + +Two vulnerabilities in the path: + +1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses + realpath() -- this follows symlinks as euid=0. If the attacker swaps + the file to a symlink before this call, lc->filename becomes the + resolved target path (e.g., /root/secret.img). + +2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even + if canonicalization happened correctly, the file can be swapped to a + symlink between canonicalize and open. + +CVE: CVE-2026-27456 +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30] + +Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g +Signed-off-by: Karel Zak +(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4) +(cherry picked from commit 79164668a412b71fcb1495c7d299cc5e9741fa30) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + include/loopdev.h | 3 ++- + lib/loopdev.c | 7 ++++++- + libmount/src/hook_loopdev.c | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/loopdev.h b/include/loopdev.h +index 903adc491..d03e9b65e 100644 +--- a/include/loopdev.h ++++ b/include/loopdev.h +@@ -139,7 +139,8 @@ enum { + LOOPDEV_FL_NOIOCTL = (1 << 6), + LOOPDEV_FL_DEVSUBDIR = (1 << 7), + LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */ +- LOOPDEV_FL_SIZELIMIT = (1 << 9) ++ LOOPDEV_FL_SIZELIMIT = (1 << 9), ++ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */ + }; + + /* +diff --git a/lib/loopdev.c b/lib/loopdev.c +index dd9ead3ee..4da251812 100644 +--- a/lib/loopdev.c ++++ b/lib/loopdev.c +@@ -1193,7 +1193,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename) + if (!lc) + return -EINVAL; + +- lc->filename = canonicalize_path(filename); ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ lc->filename = strdup(filename); ++ else ++ lc->filename = canonicalize_path(filename); + if (!lc->filename) + return -errno; + +@@ -1332,6 +1335,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) + + if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) + flags |= O_DIRECT; ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ flags |= O_NOFOLLOW; + + if ((file_fd = open(lc->filename, mode | flags)) < 0) { + if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) +diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c +index 8c8f7f218..ce39a7a70 100644 +--- a/libmount/src/hook_loopdev.c ++++ b/libmount/src/hook_loopdev.c +@@ -276,7 +276,8 @@ static int setup_loopdev(struct libmnt_context *cxt, + } + + DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device")); +- rc = loopcxt_init(&lc, 0); ++ rc = loopcxt_init(&lc, ++ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0); + if (rc) + goto done_no_deinit; + if (mnt_opt_has_value(loopopt)) { +-- +2.43.0 + From patchwork Wed May 20 10:59:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88530 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FCAACD4F54 for ; Wed, 20 May 2026 11:01:30 +0000 (UTC) Received: from mx-relay149-hz1-if1.hornetsecurity.com (mx-relay149-hz1-if1.hornetsecurity.com [94.100.128.159]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9546.1779274879856526987 for ; Wed, 20 May 2026 04:01:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=EHm2yGgX; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.159, mailfrom: hsimeliere@witekio.com) ARC-Authentication-Results: i=2; mx-gate149-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=40.107.162.113, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=pa4pr04cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=0LGFmN9WB4W37wGTW6p+2faN4YJwxn7wmfdhiTxVS94=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779274874; b=L2jHKjgbbefuEHI8BvXOqcKdj2yGSpvumSKJYixlRQXTMzfGWry3OxoQi7B2P8q3xVw6UuaQ XhTIdU+4istzSXIclqlGyEpDzwTgGY5fAZLhQgnU4G+PAynW/xpkLGSvdh9k0l1jZEk6WT3YsGS cMjU3Dw++UJyXaQbtKWtOdzcEO75jwaCMFYMn5PR0qPOjtRPcPcFox1OKdBHdoS+NvA1Srzav3C dOo+hAhknAqTm/DM4T0v+1Tw6oa8MHPa7tZ7ORGV3i/mFjGYSoTGa5WC2iBydFg8uGbtRhddR4a KtnGXU25lkeqXlx9/5CSq1h3WoKFcl6CuXyNTJMxwn5bQ== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779274874; b=gpxcV4xkFtjukJizOucrssPhqWEnOQDP9+REKTvZkf5/CUzNJhOhmK/h+tQSg36W5qdWZEVD OfIcv5XlL03FXCgBu3UXmM2liguUS3VANOn5TN1MwM5VPN8TUdsUDoOrxF0bTrFtVH6Uopsqgxl NyctcxSbjy5xzKP8J/WNxxvcsUXzQ2FY6TAq8dGMekVGuQdk8z+U2AP7nUaghRQ1DxhnX17AYBw UEdWpWuARVa8lXlt+PM2ocYnQT6/BLLGkBWblsdtN4jnPY7vv6z/eWrXm9acOIULxLG8wKbxz2a ws7IehsIWglPlDZkDx1ZnngpeuCgbZAU0/bbNnnoTfEIQ== Received: from mail-francecentralazon11023113.outbound.protection.outlook.com ([40.107.162.113]) by mx-gate149-hz1; Wed, 20 May 2026 13:01:13 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LHe3zAz1G1RhK8sBQLfnsSXChD97O7Pbsmu7CZjwM50XwN+ESAHh6y84vP+mQL24ww+FGwPcniTediCmpFai5EHhKvD5LF0iSJ9kFTlur5eVI963iHqtNVhdse/CjwaMrONPdNGgQYByuz7EzxvsXTpwoNH5K4mpVWKmX4qPEmdKXAjkRQHwyI3aO1vgxstPbH+Cml0HhDYWbbf9J/izvhTu3fGc/0cpR38Qu4iwLy5VBALOx+LzrWUl6+GI0LvgEoIaK7aFrmgILvq4oRvNB5/8gjzi0/hiM4SD1JK3vQE0RqJZqcF5Yq0I5WEmeQ9uXktUnkIy+ErFqH8wOfDbtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0LGFmN9WB4W37wGTW6p+2faN4YJwxn7wmfdhiTxVS94=; b=cHWrSQyXuXcVfW+9aKOX3PiSDE4ToWnK9HS6Lol5eqpLit6LmX74j9PJzMowsFVVqQpOo7mRS6pGTRUiiXAKGAk+7IdeO8skfXm0o45X474cWVEeGGuf0gHC4sbxYmBsKmJGhA215cFKjGg0CjmhEElVEN9kgT5aGo8YUm96mYITl5RU6W8neOnFT2DotNBchv2P98mSrpeKPNIT5iYuuBR+J7sV9/zofdEVzweLhlZFkYs+lhH6i3XUDLsasqhFhizm+ZML/3rnzl8mURGD8xqU6/Y2WVXDHoauDcd4xn8BAyhX5GZe9lM42e3AzVOQx1nxx7gD328bya4bqdgM5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0LGFmN9WB4W37wGTW6p+2faN4YJwxn7wmfdhiTxVS94=; b=EHm2yGgXGHIkOVoK5sXU4H2eTzzzA8m6MRh4qJy3hzvy+JxGDEyhSg0WYnvygcFNSU71EFkuOUzdlRODLFo+Xso+KX7PvGAZpeD0aKrHJV0WXLm6mLp78Bf20ytb8RGLivIRhYrqICGxqeUOVMbzJ4SrJrjRtZ8bivcw7/3psyEoMLBSLZ1R8quD1vDE5gb4L9ExfeI78Od3vfrj6469PVqOG0vmmKXvLY2Iv73SakrQF/brU3PzSwFh0NRUrFzIKqia5kVFavIQFWXE+SAH3/sDg9MwXoIx+vqAydeYONcBug9Hv+FNFKbHw7O/WdoPRaFuDIoLiExs8JJfksm2QA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by AS8P192MB1773.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:521::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 11:00:48 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 11:00:48 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 2/2] util-linux: Fix CVE-2026-3184 Date: Wed, 20 May 2026 12:59:59 +0200 Message-ID: <20260520105959.3115597-2-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520105959.3115597-1-hsimeliere.opensource@witekio.com> References: <20260520105959.3115597-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: LO4P265CA0074.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2bd::13) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|AS8P192MB1773:EE_ X-MS-Office365-Filtering-Correlation-Id: 043e821b-12ff-4817-9dcb-08deb65f0c75 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|10070799003|376014|52116014|3023799007|18002099003|22082099003|56012099003|5023799004|13003099007; X-Microsoft-Antispam-Message-Info: Di20nIsaVaX6NwgyUVGQiulcS6jd3eazMlzTdJhTyEGabi6nlgfgyG+1XzUn2YlwscjcHlY3ngF6VP2fEsYliHpn6HPJzTTBfpfOx8jZWd79EBttY73Na5Kz/XsHBH5LEaZN2NNij1Go81ISS+L3I2LIH0MLzpPZ+Kh60mcT318hxZ98vLpzUMu6hf+tgUOMySGltjKKdIrY7l9bciptFWCCIjZsJ/ctiVQsWyzBefFpnZLtHXSpx7DamkZlED/41P2GysVVvEaVgum+AOzTAU6r2c6afwxccQlvIpmjyGE3y2VzK9UZiZxtjcmOogrI5wPeZUkiX2ZvdlHvGyGuP3IeEyug26VeY+9yzcayGM9pu7pZRauEcHV2YG4zsBgVNgCWLGBLpM5WofZM1sCzJxBUfebUZJbfsqVnjJoPxIqYAJfCO0IFMvPLYe2VO4E2VCFmNXZNupm4jWbBCW7rdBKRQDjOPIAEUbLbOkuJs45O1OmQkqIzWjRMpkrKfp2of8jUkU3o/QRNjTDvMidxf0GELMqrirjNAiqBSFDtQrzclzZiYmT+L70dFVasUPt2vX5B+KN7kG/gSRZmucHZVUznO6W1F45qV39ylLC+GZJ73IxZr+PW5/gWshvHPy38ZvirIKId6vtzbBdcbf0Pz3Drfo5a95ci3X0FDIloU/jNffYnqfCaB3JJDSc0gWhrCrPYOamH6pjnIpxSUtapCQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(10070799003)(376014)(52116014)(3023799007)(18002099003)(22082099003)(56012099003)(5023799004)(13003099007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: 3J/C9QjMMl7V0qB4hr7Wm3fAFEPr+tGkVHEZceMyLXD8usZBtOkvE6KX9OJckOrnH/dB/CJSYUI5H0Fpd6MZHDt+xMcyu+GcymJNdIen9/P7dSQT/hETKxh0ES2Ce5igyDy1QwGgT5K7/4c3cLo77m1Wc8tHXEv6b8Mb+YKi4Bg9p8ktuUL/N+LrSk3UIonokDyEpnJmRtwOIIiJSZeogQiAxhMvDmtfxLt0ypRAARU+rRG049K4464IK1E0646BK88gSlcInyefr3OgJBS3wJPU7MFGjuUAyeQUw+g9mZ5X4tTv16m03+RGhh/uHmSs4JEoEYa9s9gS4RQZSpDXIXqC++YgpOha4Ae4fei0fHInoWfnuZMRa94009Ka7PIIHYkuUkKsoA6OHlCXXDgYZokcLjZXt5N6vGo7VLRvtgFiTXKiqLtUGcksBHisF4qUV1tkYq1k2oaf7DBnmOiXtr/UmsHo3/KOaf2wvtP7wO7s8w5uOkaJMB0bh268P/fuQDi5/fKEAo4POQP9ArEV6h2dc7Iw/2fJaKxqPhQfwzVklzUfdr1YDxzuP6wOtUaifsR1MG/kmcBE2XUqyA1CTD8N83kY68QecM3i4o5xphrOcbiMjilu45RChHNpWGEuDi7ZWqq4AjHX4KjKs9J7+VSn6CEUE1dsQdQFsa29CBcH7cb6JlMCzMltuhY5NwBiPqinJV2TgIUGtZ1O+aK+72bUGJGgynQJfQ+jK9mh+hNEDMNP2pO2p2ipRjONGNChF+af2JoytXtLflFk5IBhXEbilShLnGjec5/oNerPt+JtrSyMSQ1agmx2GxEgwWFLOMf5ieSrwBdV6T0rTmFC7PWXOvlxrUd/V/RRXZ/soSTd6oVLgnIpC8UYl6mnfQPtPEc7XBcRUvU+7KdGQ/le3T3bu0uPWI/vXfoExhwHjbTuCH1C1I2D+UzeEUDM8h5gzM9uCJsk3/xiPbQShAmtyjOTfTjb0BbpzZCJRkDeZxSuCfzPTfAw36tG43aYzpEL2UUiDIzyYn10+NW4UC4pCAYzxMS2vPK6s9vKSwkLxC1pyPV940oRy5TLQM5LLKq8AYda0EmUxA7/YTQ6CZZxRT+m9Hx+0c0EfXNdx4fMpUhW0DZU5JttdDn7b5u7UOAWLbsF2eMHM4pFwRjluEYYmMSKQeP4MY3ZTfyEgNQPv2+jEXQrgU63TbSLLeL1HBjqN7eznBpTnTpj0dbW2bFhibo4VPSPBgZ9T/XcHHPjP0bQSNrliVzUPwd42dc3LmFNvt7ikcOM65OPuC2a3JAgx4ZGvdtTT51kg6y0Q6CU6c5owqZIIgFjA//Sa1QoaAAZCGqUy8OJkDy+vcnkc34B4q17bAUZtTaYQH15A4DqmDgTtlWt8rkAQzWXV0/xf9TkbMo4+FTtncoLpTSG6A46q1dwxpZYk+mqG1vzA9dePUFUkxjiLXz8AGF/u9MXGdPSqejpMsVTJ2p/3RCpnPRjEwAIhXZmQuEubfWXG4KzC4AFHB2LttLSb62UGBd4nK0r5BcvNpm37OtIaFMPOy6Fw1tEOAq7xgz7Ld+bkH6S7JGofMHmNvjUfj7IzOfdaMXOIX2BU58Vg0RsKVl5iN/WgUXmE6c8w3hfSJx/N7/hTIw8efdfCYsRCF7ChJhwjkvwsXA9CLc7CUPBiyG5rp78DyNXg7ndWmdHttRpYQWBaRt9bauH8bp67zFOMii27o1Ydsex38E2Fl1F0wfxhhkiMqkzT6W3jR6XRnRoM/57YvL43Kwlvu9f1ToX7AKar1ob30qqK5RV X-MS-Exchange-AntiSpam-MessageData-1: 1UnvhBDtzZJwpA== X-Exchange-RoutingPolicyChecked: gGXwNZljfh2LRztkxcm0215Q/wEDl1s+YD86MJ2EK8hBAhCG8qvt5SxG1GZlt8YXrKIjqtyZfyv4iDAL4FrkwKnkZnfZZj8UpvkE4EzpWeyD7Jq3+UnjnuUP4zBDEc7OwIzAUkzP887chBO8BapGBAWbk4Fer7CbV099KRmGfO4IJGAh9GdchEgYAVftl9oM2HFUFbSgVxejV4nBlTAnRk7Afeb2sVxPUPf2qnHyW4GS+HE8Z1o1uxT8JYkVsV/x5FiI5kSviT9RAQNkVVkjH0URJpqNl74JCmHzv7QGpIlJu+ecWyBTdfmYC7CAI9LHzB9mMxfCHMbXBJ2cb0jBCQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 1VlmzEz5E/uzN8uQ8VIF/hcotZAoUpNPsVZpZvyGAHG3Ig4J95kxzpt1QGJjA2UlzvF9xQl5Zjv6jDx5jnbYdD/6LBWE8jEfaTAYpCjnWvUyGMgRhuJ+oPzAZB9ZkWtATvGlaq7bPj1wzWCVlYgSlyfzatbQnkNhcRCTvBWHA6wpFX6tyCd1QyHXoHkb4szFSzCt2DKbosUvkyGNNJI0hGaF4ivSlenPiHSR2C8QxS68QEie9oyDP30ADzknJ8OfYZwl5+uvNTbnLXQw6WVc7jMpLomdVbLGU+DylGfB8ykeKwL8Q62kQi5pw7zez7c0sanEVRSJQl7jwxAY2lHqPtml8SUiws51IAQA6kLSoUJppLVJ6DFrVFOSNZfe+yQhx0XmvhH3amUQc6Gw/BmPSXZlYlRvkQGhG86G2Z1pTFni4baueYOdgbsRrBO6pPHyOp0wtdTLioggLIMwSi1yZ6hXbRJGbfhOlRu/n+5q1me/T1Lw8HwIZPNdGTU5UmT3k75oMznwyZE7DQ7E9XPUQqbEbXG9CsMBXK7N60FwP5BQQkrmUsi4Ia1rEWcFMnRugxsQZXvBVYNVBteMtjnGfZ0SGMFhclhT0NFDVW8MlOHW5td0gK5VAs17XUspsfBf X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 043e821b-12ff-4817-9dcb-08deb65f0c75 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 11:00:48.1391 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4p5BXu3z4Bytw8BsYBfunEIVIc9G+0/9vhgYo72ooe/R6oJAuAHpZIiF+qUzRMR+FiCtKFRpTe1BQ/7xPhWwxw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P192MB1773 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate149-hz1 with 4gL7r21VY6z18S1X X-cloud-security-connect: mail-francecentralazon11023113.outbound.protection.outlook.com[40.107.162.113], TLS=1, IP=40.107.162.113 X-cloud-security-Digest: 6a2fb17777805ccbd9da5f5ea0f7c176 X-cloud-security: scantime:7.447 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 11:01:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237447 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. [1] https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984 [2] https://security-tracker.debian.org/tracker/CVE-2026-3184 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/util-linux/CVE-2026-3184.patch | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 8380419634..961a7318aa 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -47,6 +47,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://CVE-2025-14104-01.patch \ file://CVE-2025-14104-02.patch \ file://CVE-2026-27456.patch \ + file://CVE-2026-3184.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch new file mode 100644 index 0000000000..933adb3250 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch @@ -0,0 +1,63 @@ +From bbd20203765f3d705d45b2f51201041ed94fc3a3 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 19 Feb 2026 12:20:28 +0100 +Subject: [PATCH] login: use original FQDN for PAM_RHOST + +When login -h is invoked, init_remote_info() strips the +local domain suffix from the hostname (FQDN to short name) before +storing it in cxt->hostname. This truncated value is then used for +PAM_RHOST, which can bypass pam_access host deny rules that match on +the FQDN. + +Preserve the original -h hostname in a new cmd_hostname field and use +it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp +and logging unchanged. + +Note, the real-world impact is low -- login -h is only used by legacy +telnet/rlogin daemons, and exploitation requires FQDN-specific +pam_access rules on a system still using these obsolete services. + +CVE: CVE-2026-3184 +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984] + +Reported-by: Asim Viladi Oglu Manizada +Signed-off-by: Karel Zak +(cherry picked from commit 8b29aeb081e297e48c4c1ac53d88ae07e1331984) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + login-utils/login.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/login-utils/login.c b/login-utils/login.c +index 1812b9017..211968f30 100644 +--- a/login-utils/login.c ++++ b/login-utils/login.c +@@ -127,6 +127,7 @@ struct login_context { + char *thishost; /* this machine */ + char *thisdomain; /* this machine's domain */ + char *hostname; /* remote machine */ ++ char *cmd_hostname; /* remote machine as specified on command line */ + char hostaddress[16]; /* remote address */ + + pid_t pid; +@@ -894,7 +895,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) + + /* hostname & tty are either set to NULL or their correct values, + * depending on how much we know. */ +- rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname); ++ rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname); + if (is_pam_failure(rc)) + loginpam_err(pamh, rc); + +@@ -1231,6 +1232,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost) + + get_thishost(cxt, &domain); + ++ cxt->cmd_hostname = xstrdup(remotehost); ++ + if (domain && (p = strchr(remotehost, '.')) && + strcasecmp(p + 1, domain) == 0) + *p = '\0'; +-- +2.43.0 +