[AUTO-CHERRYPICK] Fix CVE-2024-28085 in util-linux by backporting the patch - branch main (#8840)

Co-authored-by: Bala <kumaran.4353@gmail.com>

Author: CBL-Mariner-Bot

SPECS/util-linux/0001-wall-fix-escape-sequence-Injection-CVE-2024-28085.patch

@@ -0,0 +1,192 @@
+From dce2d7df237424c76c1961a323664af60e228225 Mon Sep 17 00:00:00 2001
+From: Bala <Balakumaran.kannan@microsoft.com>
+Date: Thu, 18 Apr 2024 06:20:13 +0000
+Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
+
+---
+ include/carefulputc.h | 73 +++++++++++++++++++++++++++++++++++++++++++
+ term-utils/wall.c     | 51 ++++++++++--------------------
+ 2 files changed, 89 insertions(+), 35 deletions(-)
+
+diff --git a/include/carefulputc.h b/include/carefulputc.h
+index 66a0f15..50bb14c 100644
+--- a/include/carefulputc.h
++++ b/include/carefulputc.h
+@@ -9,9 +9,82 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <ctype.h>
++#ifdef HAVE_WIDECHAR
++#include <wctype.h>
++#include <wchar.h>
++#endif
++#include <stdbool.h>
+ 
+ #include "cctype.h"
+ 
++/*
++ * A puts() for use in write and wall (that sometimes are sgid tty).
++ * It avoids control and invalid characters.
++ * The locale of the recipient is nominally unknown,
++ * but it's a solid bet that it's compatible with the author's.
++ * Use soft_width=0 to disable wrapping.
++ */
++static inline int fputs_careful(const char * s, FILE *fp, const char ctrl, bool cr_lf, int soft_width)
++{
++	int ret = 0, col = 0;
++
++	for (size_t slen = strlen(s); *s; ++s, --slen) {
++		if (*s == '\t')
++			col += (7 - (col % 8)) - 1;
++		else if (*s == '\r')
++			col = -1;
++		else if (*s == '\a')
++			--col;
++
++		if ((soft_width && col >= soft_width) || *s == '\n') {
++			if (soft_width) {
++				fprintf(fp, "%*s", soft_width - col, "");
++				col = 0;
++			}
++			ret = fputs(cr_lf ? "\r\n" : "\n", fp);
++			if (*s == '\n' || ret < 0)
++				goto wrote;
++		}
++
++		if (isprint(*s) || *s == '\a' || *s == '\t' || *s == '\r') {
++			ret = putc(*s, fp);
++			++col;
++		} else if (!c_isascii(*s)) {
++#ifdef HAVE_WIDECHAR
++			wchar_t w;
++			size_t clen = mbtowc(&w, s, slen);
++			switch(clen) {
++				case (size_t)-2:  // incomplete
++				case (size_t)-1:  // EILSEQ
++					mbtowc(NULL, NULL, 0);
++				nonprint:
++					col += ret = fprintf(fp, "\\%3hho", *s);
++					break;
++				default:
++					if(!iswprint(w))
++						goto nonprint;
++					ret = fwrite(s, 1, clen, fp);
++					if (soft_width)
++						col += wcwidth(w);
++					s += clen - 1;
++					slen -= clen - 1;
++					break;
++			}
++#else
++			col += ret = fprintf(fp, "\\%3hho", *s);
++#endif
++		} else {
++			ret = fputs((char[]){ ctrl, *s ^ 0x40, '\0' }, fp);
++			col += 2;
++		}
++
++	wrote:
++		if (ret < 0)
++			return EOF;
++	}
++	return 0;
++}
++
+ static inline int fputc_careful(int c, FILE *fp, const char fail)
+ {
+ 	int ret;
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index c601d3e..bc4a28c 100644
+--- a/term-utils/wall.c
++++ b/term-utils/wall.c
+@@ -339,16 +339,10 @@ static void buf_putc_careful(struct buffer *bs, int c)
+ static char *makemsg(char *fname, char **mvec, int mvecsz,
+ 		     size_t *mbufsize, int print_banner)
+ {
+-	struct buffer _bs = {.used = 0}, *bs = &_bs;
+-	register int ch, cnt;
+-	char *p, *lbuf;
+-	long line_max;
+-
+-	line_max = sysconf(_SC_LINE_MAX);
+-	if (line_max <= 0)
+-		line_max = 512;
+-
+-	lbuf = xmalloc(line_max);
++	char *lbuf, *retbuf;
++	FILE * fs = open_memstream(&retbuf, mbufsize);
++	size_t lbuflen = 512;
++	lbuf = xmalloc(lbuflen);
+ 
+ 	if (print_banner == TRUE) {
+ 		char *hostname = xgethostname();
+@@ -379,15 +373,15 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+ 		 */
+ 		/* snprintf is not always available, but the sprintf's here
+ 		   will not overflow as long as %d takes at most 100 chars */
+-		buf_printf(bs, "\r%*s\r\n", TERM_WIDTH, " ");
++		fprintf(fs, "\r%*s\r\n", TERM_WIDTH, " ");
+ 
+-		snprintf(lbuf, line_max,
++		snprintf(lbuf, lbuflen,
+ 				_("Broadcast message from %s@%s (%s) (%s):"),
+ 				whom, hostname, where, date);
+-		buf_printf(bs, "%-*.*s\007\007\r\n", TERM_WIDTH, TERM_WIDTH, lbuf);
++		fprintf(fs, "%-*.*s\007\007\r\n", TERM_WIDTH, TERM_WIDTH, lbuf);
+ 		free(hostname);
+ 	}
+-	buf_printf(bs, "%*s\r\n", TERM_WIDTH, " ");
++	fprintf(fs, "%*s\r\n", TERM_WIDTH, " ");
+ 
+ 	 if (mvec) {
+ 		/*
+@@ -396,11 +390,11 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+ 		int i;
+ 
+ 		for (i = 0; i < mvecsz; i++) {
+-			buf_puts(bs, mvec[i]);
++			fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
+ 			if (i < mvecsz - 1)
+-				buf_puts(bs, " ");
++				fputc(' ', fs);
+ 		}
+-		buf_puts(bs, "\r\n");
++		fputs("\r\n", fs);
+ 	} else {
+ 		/*
+ 		 * read message from <file>
+@@ -425,26 +419,13 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+ 		/*
+ 		 * Read message from stdin.
+ 		 */
+-		while (fgets(lbuf, line_max, stdin)) {
+-			for (cnt = 0, p = lbuf; (ch = *p) != '\0'; ++p, ++cnt) {
+-				if (cnt == TERM_WIDTH || ch == '\n') {
+-					for (; cnt < TERM_WIDTH; ++cnt)
+-						buf_puts(bs, " ");
+-					buf_puts(bs, "\r\n");
+-					cnt = 0;
+-				}
+-				if (ch == '\t')
+-					cnt += (7 - (cnt % 8));
+-				if (ch != '\n')
+-					buf_putc_careful(bs, ch);
+-			}
+-		}
++		while (getline(&lbuf, &lbuflen, stdin) >= 0)
++			fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);
+ 	}
+-	buf_printf(bs, "%*s\r\n", TERM_WIDTH, " ");
++	fprintf(fs, "%*s\r\n", TERM_WIDTH, " ");
+ 
+ 	free(lbuf);
+ 
+-	bs->data[bs->used] = '\0';	/* be paranoid */
+-	*mbufsize = bs->used;
+-	return bs->data;
++	fclose(fs);
++	return retbuf;
+ }
+-- 
+2.33.8
+

SPECS/util-linux/util-linux.spec

@@ -1,7 +1,7 @@
 Summary:        Utilities for file systems, consoles, partitions, and messages
 Name:           util-linux
 Version:        2.37.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Source2:        runuser-l
 Source3:        su
 Source4:        su-l
 Patch0:         libblkid-src-probe-check-for-ENOMEDIUM.patch
+Patch1:         0001-wall-fix-escape-sequence-Injection-CVE-2024-28085.patch
 BuildRequires:  audit-devel
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libselinux-devel
@@ -151,6 +152,9 @@ rm -rf %{buildroot}/lib/systemd/system
 %{_mandir}/man3/*
 
 %changelog
+* Thu Apr 18 2024 Bala <balakumaran.kannan@microsoft.com> - 2.37.4-9
+- Patch CVE-2024-28085 in wall command
+
 * Thu Sep 21 2023 Andrew Phelps <anphel@microsoft.com> - 2.37.4-8
 - Add su-l file for PAM
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.aarch64.rpm
 patch-2.7.6-8.cm2.aarch64.rpm
 libcap-ng-0.8.2-2.cm2.aarch64.rpm
 libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm
-util-linux-2.37.4-8.cm2.aarch64.rpm
-util-linux-devel-2.37.4-8.cm2.aarch64.rpm
-util-linux-libs-2.37.4-8.cm2.aarch64.rpm
+util-linux-2.37.4-9.cm2.aarch64.rpm
+util-linux-devel-2.37.4-9.cm2.aarch64.rpm
+util-linux-libs-2.37.4-9.cm2.aarch64.rpm
 tar-1.34-2.cm2.aarch64.rpm
 xz-5.2.5-1.cm2.aarch64.rpm
 xz-devel-5.2.5-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.x86_64.rpm
 patch-2.7.6-8.cm2.x86_64.rpm
 libcap-ng-0.8.2-2.cm2.x86_64.rpm
 libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm
-util-linux-2.37.4-8.cm2.x86_64.rpm
-util-linux-devel-2.37.4-8.cm2.x86_64.rpm
-util-linux-libs-2.37.4-8.cm2.x86_64.rpm
+util-linux-2.37.4-9.cm2.x86_64.rpm
+util-linux-devel-2.37.4-9.cm2.x86_64.rpm
+util-linux-libs-2.37.4-9.cm2.x86_64.rpm
 tar-1.34-2.cm2.x86_64.rpm
 xz-5.2.5-1.cm2.x86_64.rpm
 xz-devel-5.2.5-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -572,11 +572,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 texinfo-debuginfo-6.8-1.cm2.aarch64.rpm
 unzip-6.0-20.cm2.aarch64.rpm
 unzip-debuginfo-6.0-20.cm2.aarch64.rpm
-util-linux-2.37.4-8.cm2.aarch64.rpm
-util-linux-debuginfo-2.37.4-8.cm2.aarch64.rpm
-util-linux-devel-2.37.4-8.cm2.aarch64.rpm
-util-linux-lang-2.37.4-8.cm2.aarch64.rpm
-util-linux-libs-2.37.4-8.cm2.aarch64.rpm
+util-linux-2.37.4-9.cm2.aarch64.rpm
+util-linux-debuginfo-2.37.4-9.cm2.aarch64.rpm
+util-linux-devel-2.37.4-9.cm2.aarch64.rpm
+util-linux-lang-2.37.4-9.cm2.aarch64.rpm
+util-linux-libs-2.37.4-9.cm2.aarch64.rpm
 which-2.21-8.cm2.aarch64.rpm
 which-debuginfo-2.21-8.cm2.aarch64.rpm
 xz-5.2.5-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -578,11 +578,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 texinfo-debuginfo-6.8-1.cm2.x86_64.rpm
 unzip-6.0-20.cm2.x86_64.rpm
 unzip-debuginfo-6.0-20.cm2.x86_64.rpm
-util-linux-2.37.4-8.cm2.x86_64.rpm
-util-linux-debuginfo-2.37.4-8.cm2.x86_64.rpm
-util-linux-devel-2.37.4-8.cm2.x86_64.rpm
-util-linux-lang-2.37.4-8.cm2.x86_64.rpm
-util-linux-libs-2.37.4-8.cm2.x86_64.rpm
+util-linux-2.37.4-9.cm2.x86_64.rpm
+util-linux-debuginfo-2.37.4-9.cm2.x86_64.rpm
+util-linux-devel-2.37.4-9.cm2.x86_64.rpm
+util-linux-lang-2.37.4-9.cm2.x86_64.rpm
+util-linux-libs-2.37.4-9.cm2.x86_64.rpm
 which-2.21-8.cm2.x86_64.rpm
 which-debuginfo-2.21-8.cm2.x86_64.rpm
 xz-5.2.5-1.cm2.x86_64.rpm