[AutoPR- Security] Patch util-linux for CVE-2025-14104 [MEDIUM] (#15330)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: azurelinux-security

SPECS/util-linux/CVE-2025-14104.patch

@@ -0,0 +1,64 @@
+From 0bbd05467aa9fb9560cdd5fada4abf03d2c9622b Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Sat, 24 May 2025 03:16:09 +0100
+Subject: [PATCH 1/2] Update setpwnam.c
+
+---
+ login-utils/setpwnam.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1ab..95e470b 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
+-- 
+2.45.4
+
+
+From 7e0aa7e33ccec01ee7fbe42a435a58d083d6dbac Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Mon, 26 May 2025 10:06:02 +0100
+Subject: [PATCH 2/2] Update bufflen
+
+Update buflen
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/util-linux/util-linux/pull/3586.patch
+---
+ login-utils/setpwnam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 95e470b..7778e98 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
+-- 
+2.45.4
+

SPECS/util-linux/skip-lsns-ioctl_ns-test-if-unshare-fails.patch

@@ -0,0 +1,53 @@
+From 597ccb7bf564f65bb059bfe420224cab0fba46ac Mon Sep 17 00:00:00 2001
+From: Chris Hofstaedtler <zeha@debian.org>
+Date: Fri, 20 Aug 2021 10:30:50 +0000
+Subject: [PATCH] tests: Skip lsns/ioctl_ns test if unshare fails
+
+Some parts of the Debian build infrastructure uses unshare to run the
+package build, and that appears to cause a "nested" unshare in the
+lsns/ioctl_ns test to fail. Unfortunately the tests then hang at this
+point.
+
+Try running unshare before the actual test, and skip the test if unshare
+already fails.
+
+[kzak@redhat.com: - add --fork to the test
+                  - don't write to stdout/err]
+
+Signed-off-by: Chris Hofstaedtler <zeha@debian.org>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream Patch Reference: https://github.com/util-linux/util-linux/commit/597ccb7bf564f65bb059bfe420224cab0fba46ac
+---
+ tests/ts/column/invalid-multibyte | 2 +-
+ tests/ts/lsns/ioctl_ns            | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/ts/column/invalid-multibyte b/tests/ts/column/invalid-multibyte
+index f3d643e..03695cf 100755
+--- a/tests/ts/column/invalid-multibyte
++++ b/tests/ts/column/invalid-multibyte
+@@ -25,6 +25,6 @@ ts_check_test_command "$TS_CMD_COLUMN"
+ 
+ ts_cd "$TS_OUTDIR"
+ 
+-printf "\x94\x7e\n" | LC_ALL=C.UTF-8 $TS_CMD_COLUMN >> $TS_OUTPUT 2>> $TS_ERRLOG
++printf "\x94\x7e\n" | LC_ALL=C $TS_CMD_COLUMN >> $TS_OUTPUT 2>> $TS_ERRLOG
+ 
+ ts_finalize
+diff --git a/tests/ts/lsns/ioctl_ns b/tests/ts/lsns/ioctl_ns
+index ef63606..fa626bf 100755
+--- a/tests/ts/lsns/ioctl_ns
++++ b/tests/ts/lsns/ioctl_ns
+@@ -34,6 +34,8 @@ ts_check_prog "mkfifo"
+ ts_check_prog "touch"
+ ts_check_prog "uniq"
+ 
++$TS_CMD_UNSHARE --user --pid --mount-proc --fork true &> /dev/null || ts_skip "no namespace support"
++
+ ts_cd "$TS_OUTDIR"
+ 
+ # The parent process receives namespaces ids via FIFO_DATA from bash
+-- 
+2.45.4
+

SPECS/util-linux/util-linux.spec

@@ -1,7 +1,7 @@
 Summary:        Utilities for file systems, consoles, partitions, and messages
 Name:           util-linux
 Version:        2.37.4
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,6 +14,8 @@ Source3:        su
 Source4:        su-l
 Patch0:         libblkid-src-probe-check-for-ENOMEDIUM.patch
 Patch1:         0001-wall-fix-escape-sequence-Injection-CVE-2024-28085.patch
+Patch2:         CVE-2025-14104.patch
+Patch3:         skip-lsns-ioctl_ns-test-if-unshare-fails.patch
 BuildRequires:  audit-devel
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libselinux-devel
@@ -27,6 +29,7 @@ Provides:       hardlink = 1.3-9
 Provides:       uuidd = %{version}-%{release}
 %if %{with_check}
 BuildRequires:  ncurses-term
+BuildRequires:  sudo
 %endif
 
 %description
@@ -103,7 +106,7 @@ install -vm644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/
 
 %check
 chown -Rv nobody .
-sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
+sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check" || exit 1
 rm -rf %{buildroot}/lib/systemd/system
 
 %post   -p /sbin/ldconfig
@@ -152,6 +155,9 @@ rm -rf %{buildroot}/lib/systemd/system
 %{_mandir}/man3/*
 
 %changelog
+* Wed Dec 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.37.4-10
+- Patch for CVE-2025-14104
+
 * Thu Apr 18 2024 Bala <balakumaran.kannan@microsoft.com> - 2.37.4-9
 - Patch CVE-2024-28085 in wall command
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.aarch64.rpm
 patch-2.7.6-8.cm2.aarch64.rpm
 libcap-ng-0.8.2-2.cm2.aarch64.rpm
 libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm
-util-linux-2.37.4-9.cm2.aarch64.rpm
-util-linux-devel-2.37.4-9.cm2.aarch64.rpm
-util-linux-libs-2.37.4-9.cm2.aarch64.rpm
+util-linux-2.37.4-10.cm2.aarch64.rpm
+util-linux-devel-2.37.4-10.cm2.aarch64.rpm
+util-linux-libs-2.37.4-10.cm2.aarch64.rpm
 tar-1.34-3.cm2.aarch64.rpm
 xz-5.2.5-1.cm2.aarch64.rpm
 xz-devel-5.2.5-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.x86_64.rpm
 patch-2.7.6-8.cm2.x86_64.rpm
 libcap-ng-0.8.2-2.cm2.x86_64.rpm
 libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm
-util-linux-2.37.4-9.cm2.x86_64.rpm
-util-linux-devel-2.37.4-9.cm2.x86_64.rpm
-util-linux-libs-2.37.4-9.cm2.x86_64.rpm
+util-linux-2.37.4-10.cm2.x86_64.rpm
+util-linux-devel-2.37.4-10.cm2.x86_64.rpm
+util-linux-libs-2.37.4-10.cm2.x86_64.rpm
 tar-1.34-3.cm2.x86_64.rpm
 xz-5.2.5-1.cm2.x86_64.rpm
 xz-devel-5.2.5-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -572,11 +572,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 texinfo-debuginfo-6.8-1.cm2.aarch64.rpm
 unzip-6.0-22.cm2.aarch64.rpm
 unzip-debuginfo-6.0-22.cm2.aarch64.rpm
-util-linux-2.37.4-9.cm2.aarch64.rpm
-util-linux-debuginfo-2.37.4-9.cm2.aarch64.rpm
-util-linux-devel-2.37.4-9.cm2.aarch64.rpm
-util-linux-lang-2.37.4-9.cm2.aarch64.rpm
-util-linux-libs-2.37.4-9.cm2.aarch64.rpm
+util-linux-2.37.4-10.cm2.aarch64.rpm
+util-linux-debuginfo-2.37.4-10.cm2.aarch64.rpm
+util-linux-devel-2.37.4-10.cm2.aarch64.rpm
+util-linux-lang-2.37.4-10.cm2.aarch64.rpm
+util-linux-libs-2.37.4-10.cm2.aarch64.rpm
 which-2.21-8.cm2.aarch64.rpm
 which-debuginfo-2.21-8.cm2.aarch64.rpm
 xz-5.2.5-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -578,11 +578,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 texinfo-debuginfo-6.8-1.cm2.x86_64.rpm
 unzip-6.0-22.cm2.x86_64.rpm
 unzip-debuginfo-6.0-22.cm2.x86_64.rpm
-util-linux-2.37.4-9.cm2.x86_64.rpm
-util-linux-debuginfo-2.37.4-9.cm2.x86_64.rpm
-util-linux-devel-2.37.4-9.cm2.x86_64.rpm
-util-linux-lang-2.37.4-9.cm2.x86_64.rpm
-util-linux-libs-2.37.4-9.cm2.x86_64.rpm
+util-linux-2.37.4-10.cm2.x86_64.rpm
+util-linux-debuginfo-2.37.4-10.cm2.x86_64.rpm
+util-linux-devel-2.37.4-10.cm2.x86_64.rpm
+util-linux-lang-2.37.4-10.cm2.x86_64.rpm
+util-linux-libs-2.37.4-10.cm2.x86_64.rpm
 which-2.21-8.cm2.x86_64.rpm
 which-debuginfo-2.21-8.cm2.x86_64.rpm
 xz-5.2.5-1.cm2.x86_64.rpm