diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index d506783f9a..48520ef951 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -40,6 +40,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://avoid_parallel_tests.patch \ file://0001-login-utils-include-libgen.h-for-basename-API.patch \ file://fcntl-lock.c \ + file://CVE-2024-28085-0001.patch \ + file://CVE-2024-28085-0002.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch new file mode 100644 index 0000000000..af39931b3f --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch @@ -0,0 +1,36 @@ +From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Wed, 17 Jan 2024 12:37:08 +0100 +Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args] + +term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the earlier argument and not in the later argument [-Werror=calloc-transposed-args] + 143 | buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups); + | ^ +term-utils/wall.c:143:37: note: earlier argument should specify number of elements, later size of each element + +Signed-off-by: Karel Zak + +CVE: CVE-2024-28085 + +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b] + +Signed-off-by: Soumya Sambu +--- + term-utils/wall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/term-utils/wall.c b/term-utils/wall.c +index 377db45..85c006a 100644 +--- a/term-utils/wall.c ++++ b/term-utils/wall.c +@@ -135,7 +135,7 @@ static struct group_workspace *init_group_workspace(const char *group) + + buf->requested_group = get_group_gid(group); + buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1; /* room for the primary gid */ +- buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups); ++ buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups)); + + return buf; + } +-- +2.40.0 diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch new file mode 100644 index 0000000000..a2b914d580 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch @@ -0,0 +1,34 @@ +From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 21 Mar 2024 11:16:20 +0100 +Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085] + +Let's use for all cases the same output function. + +Reported-by: Skyler Ferrante +Signed-off-by: Karel Zak + +CVE: CVE-2024-28085 + +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253] + +Signed-off-by: Soumya Sambu +--- + term-utils/wall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/term-utils/wall.c b/term-utils/wall.c +index 85c006a..0212c03 100644 +--- a/term-utils/wall.c ++++ b/term-utils/wall.c +@@ -328,7 +328,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz, + int i; + + for (i = 0; i < mvecsz; i++) { +- fputs(mvec[i], fs); ++ fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH); + if (i < mvecsz - 1) + fputc(' ', fs); + } +-- +2.40.0