[AutoPR- Security] Patch util-linux for CVE-2026-3184, CVE-2026-27456 [MEDIUM] (#16509)

Author: azurelinux-security

SPECS/util-linux/CVE-2026-27456.patch

@@ -0,0 +1,112 @@
+From f1513f7b7b0e218671e60f66ad139d6f081f69df Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Feb 2026 13:59:46 +0100
+Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
+
+Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that
+prevents symlink following in both path canonicalization and file open.
+
+When set:
+- loopcxt_set_backing_file() uses strdup() instead of
+  ul_canonicalize_path() (which calls realpath() and follows symlinks)
+- loopcxt_setup_device() adds O_NOFOLLOW to open() flags
+
+The flag is set for non-root (restricted) mount operations in
+libmount's loop device hook. This prevents a TOCTOU race condition
+where an attacker could replace the backing file (specified in
+/etc/fstab) with a symlink to an arbitrary root-owned file between
+path resolution and open().
+
+Vulnerable Code Flow:
+
+  mount /mnt/point (non-root, SUID)
+    mount.c: sanitize_paths() on user args (mountpoint only)
+    mnt_context_mount()
+      mnt_context_prepare_mount()
+        mnt_context_apply_fstab()           <-- source path from fstab
+        hooks run at MNT_STAGE_PREP_SOURCE
+          hook_loopdev.c: setup_loopdev()
+            backing_file = fstab source path ("/home/user/disk.img")
+            loopcxt_set_backing_file()       <-- calls realpath() as ROOT
+              ul_canonicalize_path()         <-- follows symlinks!
+            loopcxt_setup_device()
+              open(lc->filename, O_RDWR|O_CLOEXEC)  <-- no O_NOFOLLOW
+
+Two vulnerabilities in the path:
+
+1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses
+   realpath() -- this follows symlinks as euid=0. If the attacker swaps
+   the file to a symlink before this call, lc->filename becomes the
+   resolved target path (e.g., /root/secret.img).
+
+2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even
+   if canonicalization happened correctly, the file can be swapped to a
+   symlink between canonicalize and open.
+
+Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/util-linux/util-linux/commit/f55f9906b4f6eeb2b4a4120317df9de935253c10.patch
+---
+ include/loopdev.h           | 3 ++-
+ lib/loopdev.c               | 7 ++++++-
+ libmount/src/hook_loopdev.c | 3 ++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/include/loopdev.h b/include/loopdev.h
+index d10bf7f..0f85dd2 100644
+--- a/include/loopdev.h
++++ b/include/loopdev.h
+@@ -139,7 +139,8 @@ enum {
+ 	LOOPDEV_FL_NOIOCTL	= (1 << 6),
+ 	LOOPDEV_FL_DEVSUBDIR	= (1 << 7),
+ 	LOOPDEV_FL_CONTROL	= (1 << 8),	/* system with /dev/loop-control */
+-	LOOPDEV_FL_SIZELIMIT	= (1 << 9)
++	LOOPDEV_FL_SIZELIMIT	= (1 << 9),
++	LOOPDEV_FL_NOFOLLOW	= (1 << 10)	/* O_NOFOLLOW, don't follow symlinks */
+ };
+ 
+ /*
+diff --git a/lib/loopdev.c b/lib/loopdev.c
+index c72fb2c..28fb489 100644
+--- a/lib/loopdev.c
++++ b/lib/loopdev.c
+@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)
+ 	if (!lc)
+ 		return -EINVAL;
+ 
+-	lc->filename = canonicalize_path(filename);
++	if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++		lc->filename = strdup(filename);
++	else
++		lc->filename = canonicalize_path(filename);
+ 	if (!lc->filename)
+ 		return -errno;
+ 
+@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)
+ 
+ 	if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)
+ 		flags |= O_DIRECT;
++	if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++		flags |= O_NOFOLLOW;
+ 
+ 	if ((file_fd = open(lc->filename, mode | flags)) < 0) {
+ 		if (mode != O_RDONLY && (errno == EROFS || errno == EACCES))
+diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c
+index 597b933..4df1915 100644
+--- a/libmount/src/hook_loopdev.c
++++ b/libmount/src/hook_loopdev.c
+@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,
+ 	}
+ 
+ 	DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device"));
+-	rc = loopcxt_init(&lc, 0);
++	rc = loopcxt_init(&lc,
++			mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);
+ 	if (rc)
+ 		goto done_no_deinit;
+ 	if (mnt_opt_has_value(loopopt)) {
+-- 
+2.45.4
+

SPECS/util-linux/CVE-2026-3184.patch

@@ -0,0 +1,60 @@
+From 4c05c5b87f37d241ca1086bbfe761ca7ad278363 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Feb 2026 12:20:28 +0100
+Subject: [PATCH] login: use original FQDN for PAM_RHOST
+
+When login -h <remotehost> is invoked, init_remote_info() strips the
+local domain suffix from the hostname (FQDN to short name) before
+storing it in cxt->hostname. This truncated value is then used for
+PAM_RHOST, which can bypass pam_access host deny rules that match on
+the FQDN.
+
+Preserve the original -h hostname in a new cmd_hostname field and use
+it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
+and logging unchanged.
+
+Note, the real-world impact is low -- login -h is only used by legacy
+telnet/rlogin daemons, and exploitation requires FQDN-specific
+pam_access rules on a system still using these obsolete services.
+
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984.patch
+---
+ login-utils/login.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/login.c b/login-utils/login.c
+index c8544f6..380d676 100644
+--- a/login-utils/login.c
++++ b/login-utils/login.c
+@@ -128,6 +128,7 @@ struct login_context {
+ 	char		*thishost;		/* this machine */
+ 	char		*thisdomain;		/* this machine's domain */
+ 	char		*hostname;		/* remote machine */
++	char		*cmd_hostname;		/* remote machine as specified on command line */
+ 	char		hostaddress[16];	/* remote address */
+ 
+ 	pid_t		pid;
+@@ -902,7 +903,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
+ 
+ 	/* hostname & tty are either set to NULL or their correct values,
+ 	 * depending on how much we know. */
+-	rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
++	rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
+ 	if (is_pam_failure(rc))
+ 		loginpam_err(pamh, rc);
+ 
+@@ -1239,6 +1240,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost)
+ 
+ 	get_thishost(cxt, &domain);
+ 
++	cxt->cmd_hostname = xstrdup(remotehost);
++
+ 	if (domain && (p = strchr(remotehost, '.')) &&
+ 	    strcasecmp(p + 1, domain) == 0)
+ 		*p = '\0';
+-- 
+2.45.4
+

SPECS/util-linux/util-linux.spec

@@ -5,7 +5,7 @@
 Summary:        Utilities for file systems, consoles, partitions, and messages
 Name:           util-linux
 Version:        2.40.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,8 @@ Source2:        runuser-l
 Source3:        su
 Source4:        su-l
 Patch0:         CVE-2025-14104.patch
+Patch1:         CVE-2026-27456.patch
+Patch2:         CVE-2026-3184.patch
 BuildRequires:  audit-devel
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libselinux-devel
@@ -172,6 +174,9 @@ rm -rf %{buildroot}/lib/systemd/system
 %{_mandir}/man3/*
 
 %changelog
+* Wed Apr 08 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.40.2-4
+- Patch for CVE-2026-3184, CVE-2026-27456
+
 * Tue Dec 30 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.40.2-3
 - Compiled with python
 - Added the package python3-libmount

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm
 patch-2.7.6-9.azl3.aarch64.rpm
 libcap-ng-0.8.4-1.azl3.aarch64.rpm
 libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm
-util-linux-2.40.2-3.azl3.aarch64.rpm
-util-linux-devel-2.40.2-3.azl3.aarch64.rpm
-util-linux-libs-2.40.2-3.azl3.aarch64.rpm
+util-linux-2.40.2-4.azl3.aarch64.rpm
+util-linux-devel-2.40.2-4.azl3.aarch64.rpm
+util-linux-libs-2.40.2-4.azl3.aarch64.rpm
 tar-1.35-2.azl3.aarch64.rpm
 xz-5.4.4-3.azl3.aarch64.rpm
 xz-devel-5.4.4-3.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm
 patch-2.7.6-9.azl3.x86_64.rpm
 libcap-ng-0.8.4-1.azl3.x86_64.rpm
 libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm
-util-linux-2.40.2-3.azl3.x86_64.rpm
-util-linux-devel-2.40.2-3.azl3.x86_64.rpm
-util-linux-libs-2.40.2-3.azl3.x86_64.rpm
+util-linux-2.40.2-4.azl3.x86_64.rpm
+util-linux-devel-2.40.2-4.azl3.x86_64.rpm
+util-linux-libs-2.40.2-4.azl3.x86_64.rpm
 tar-1.35-2.azl3.x86_64.rpm
 xz-5.4.4-3.azl3.x86_64.rpm
 xz-devel-5.4.4-3.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -542,7 +542,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
-python3-libmount-2.40.2-3.azl3.aarch64.rpm
+python3-libmount-2.40.2-4.azl3.aarch64.rpm
 python3-libs-3.12.9-10.azl3.aarch64.rpm
 python3-libxml2-2.11.5-9.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
@@ -599,11 +599,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm
 texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm
 unzip-6.0-22.azl3.aarch64.rpm
 unzip-debuginfo-6.0-22.azl3.aarch64.rpm
-util-linux-2.40.2-3.azl3.aarch64.rpm
-util-linux-debuginfo-2.40.2-3.azl3.aarch64.rpm
-util-linux-devel-2.40.2-3.azl3.aarch64.rpm
-util-linux-lang-2.40.2-3.azl3.aarch64.rpm
-util-linux-libs-2.40.2-3.azl3.aarch64.rpm
+util-linux-2.40.2-4.azl3.aarch64.rpm
+util-linux-debuginfo-2.40.2-4.azl3.aarch64.rpm
+util-linux-devel-2.40.2-4.azl3.aarch64.rpm
+util-linux-lang-2.40.2-4.azl3.aarch64.rpm
+util-linux-libs-2.40.2-4.azl3.aarch64.rpm
 which-2.21-8.azl3.aarch64.rpm
 which-debuginfo-2.21-8.azl3.aarch64.rpm
 xz-5.4.4-3.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -550,7 +550,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
-python3-libmount-2.40.2-3.azl3.x86_64.rpm
+python3-libmount-2.40.2-4.azl3.x86_64.rpm
 python3-libs-3.12.9-10.azl3.x86_64.rpm
 python3-libxml2-2.11.5-9.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
@@ -607,11 +607,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm
 texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm
 unzip-6.0-22.azl3.x86_64.rpm
 unzip-debuginfo-6.0-22.azl3.x86_64.rpm
-util-linux-2.40.2-3.azl3.x86_64.rpm
-util-linux-debuginfo-2.40.2-3.azl3.x86_64.rpm
-util-linux-devel-2.40.2-3.azl3.x86_64.rpm
-util-linux-lang-2.40.2-3.azl3.x86_64.rpm
-util-linux-libs-2.40.2-3.azl3.x86_64.rpm
+util-linux-2.40.2-4.azl3.x86_64.rpm
+util-linux-debuginfo-2.40.2-4.azl3.x86_64.rpm
+util-linux-devel-2.40.2-4.azl3.x86_64.rpm
+util-linux-lang-2.40.2-4.azl3.x86_64.rpm
+util-linux-libs-2.40.2-4.azl3.x86_64.rpm
 which-2.21-8.azl3.x86_64.rpm
 which-debuginfo-2.21-8.azl3.x86_64.rpm
 xz-5.4.4-3.azl3.x86_64.rpm