[AutoPR- Security] Patch util-linux for CVE-2026-3184, CVE-2026-27456 [MEDIUM] (#16513)

Author: azurelinux-security

SPECS/util-linux/CVE-2026-27456.patch

@@ -0,0 +1,75 @@
+From 84b259d19569a6b073adec146a46e849085e65e0 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Wed, 8 Apr 2026 14:14:23 +0000
+Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
+ (backport)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/util-linux/util-linux/commit/f55f9906b4f6eeb2b4a4120317df9de935253c10.patch
+---
+ include/loopdev.h              |  3 ++-
+ lib/loopdev.c                  | 12 ++++++++++--
+ libmount/src/context_loopdev.c |  3 ++-
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/loopdev.h b/include/loopdev.h
+index 6d400d1..9e4ef23 100644
+--- a/include/loopdev.h
++++ b/include/loopdev.h
+@@ -135,7 +135,8 @@ enum {
+ 	LOOPDEV_FL_NOIOCTL	= (1 << 6),
+ 	LOOPDEV_FL_DEVSUBDIR	= (1 << 7),
+ 	LOOPDEV_FL_CONTROL	= (1 << 8),	/* system with /dev/loop-control */
+-	LOOPDEV_FL_SIZELIMIT	= (1 << 9)
++	LOOPDEV_FL_SIZELIMIT	= (1 << 9),
++	LOOPDEV_FL_NOFOLLOW	= (1 << 10)	/* O_NOFOLLOW, don't follow symlinks */
+ };
+ 
+ /*
+diff --git a/lib/loopdev.c b/lib/loopdev.c
+index d9ea1d4..d6ce572 100644
+--- a/lib/loopdev.c
++++ b/lib/loopdev.c
+@@ -1170,7 +1170,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)
+ 	if (!lc)
+ 		return -EINVAL;
+ 
+-	lc->filename = canonicalize_path(filename);
++	if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++		lc->filename = strdup(filename);
++	else
++		lc->filename = canonicalize_path(filename);
+ 	if (!lc->filename)
+ 		return -errno;
+ 
+@@ -1305,7 +1308,12 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)
+ 	if (lc->config.info.lo_flags & LO_FLAGS_READ_ONLY)
+ 		mode = O_RDONLY;
+ 
+-	if ((file_fd = open(lc->filename, mode | O_CLOEXEC)) < 0) {
++	int flags = O_CLOEXEC;
++	if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)
++		flags |= O_DIRECT;
++	if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++		flags |= O_NOFOLLOW;
++	if ((file_fd = open(lc->filename, mode | flags)) < 0) {
+ 		if (mode != O_RDONLY && (errno == EROFS || errno == EACCES))
+ 			file_fd = open(lc->filename, mode = O_RDONLY);
+ 
+diff --git a/libmount/src/context_loopdev.c b/libmount/src/context_loopdev.c
+index 6462bfb..2fedd01 100644
+--- a/libmount/src/context_loopdev.c
++++ b/libmount/src/context_loopdev.c
+@@ -289,7 +289,8 @@ int mnt_context_setup_loopdev(struct libmnt_context *cxt)
+ 	}
+ 
+ 	DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device"));
+-	rc = loopcxt_init(&lc, 0);
++	rc = loopcxt_init(&lc,
++			mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);
+ 	if (rc)
+ 		goto done_no_deinit;
+ 	if (loopval) {
+-- 
+2.45.4
+

SPECS/util-linux/CVE-2026-3184.patch

@@ -0,0 +1,60 @@
+From aa7b7544c233a413e26608a89678ed814a691968 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Feb 2026 12:20:28 +0100
+Subject: [PATCH] login: use original FQDN for PAM_RHOST
+
+When login -h <remotehost> is invoked, init_remote_info() strips the
+local domain suffix from the hostname (FQDN to short name) before
+storing it in cxt->hostname. This truncated value is then used for
+PAM_RHOST, which can bypass pam_access host deny rules that match on
+the FQDN.
+
+Preserve the original -h hostname in a new cmd_hostname field and use
+it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
+and logging unchanged.
+
+Note, the real-world impact is low -- login -h is only used by legacy
+telnet/rlogin daemons, and exploitation requires FQDN-specific
+pam_access rules on a system still using these obsolete services.
+
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984.patch
+---
+ login-utils/login.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/login.c b/login-utils/login.c
+index c6cd340..527b04a 100644
+--- a/login-utils/login.c
++++ b/login-utils/login.c
+@@ -127,6 +127,7 @@ struct login_context {
+ 	char		*thishost;		/* this machine */
+ 	char		*thisdomain;		/* this machine's domain */
+ 	char		*hostname;		/* remote machine */
++	char		*cmd_hostname;		/* remote machine as specified on command line */
+ 	char		hostaddress[16];	/* remote address */
+ 
+ 	pid_t		pid;
+@@ -886,7 +887,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
+ 
+ 	/* hostname & tty are either set to NULL or their correct values,
+ 	 * depending on how much we know. */
+-	rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
++	rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
+ 	if (is_pam_failure(rc))
+ 		loginpam_err(pamh, rc);
+ 
+@@ -1223,6 +1224,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost)
+ 
+ 	get_thishost(cxt, &domain);
+ 
++	cxt->cmd_hostname = xstrdup(remotehost);
++
+ 	if (domain && (p = strchr(remotehost, '.')) &&
+ 	    strcasecmp(p + 1, domain) == 0)
+ 		*p = '\0';
+-- 
+2.45.4
+

SPECS/util-linux/util-linux.spec

@@ -1,7 +1,7 @@
 Summary:        Utilities for file systems, consoles, partitions, and messages
 Name:           util-linux
 Version:        2.37.4
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -16,6 +16,8 @@ Patch0:         libblkid-src-probe-check-for-ENOMEDIUM.patch
 Patch1:         0001-wall-fix-escape-sequence-Injection-CVE-2024-28085.patch
 Patch2:         CVE-2025-14104.patch
 Patch3:         skip-lsns-ioctl_ns-test-if-unshare-fails.patch
+Patch4:         CVE-2026-27456.patch
+Patch5:         CVE-2026-3184.patch
 BuildRequires:  audit-devel
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libselinux-devel
@@ -155,6 +157,9 @@ rm -rf %{buildroot}/lib/systemd/system
 %{_mandir}/man3/*
 
 %changelog
+* Wed Apr 08 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.37.4-11
+- Patch for CVE-2026-3184, CVE-2026-27456
+
 * Wed Dec 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.37.4-10
 - Patch for CVE-2025-14104
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.aarch64.rpm
 patch-2.7.6-8.cm2.aarch64.rpm
 libcap-ng-0.8.2-2.cm2.aarch64.rpm
 libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm
-util-linux-2.37.4-10.cm2.aarch64.rpm
-util-linux-devel-2.37.4-10.cm2.aarch64.rpm
-util-linux-libs-2.37.4-10.cm2.aarch64.rpm
+util-linux-2.37.4-11.cm2.aarch64.rpm
+util-linux-devel-2.37.4-11.cm2.aarch64.rpm
+util-linux-libs-2.37.4-11.cm2.aarch64.rpm
 tar-1.34-3.cm2.aarch64.rpm
 xz-5.2.5-2.cm2.aarch64.rpm
 xz-devel-5.2.5-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -66,9 +66,9 @@ make-4.3-3.cm2.x86_64.rpm
 patch-2.7.6-8.cm2.x86_64.rpm
 libcap-ng-0.8.2-2.cm2.x86_64.rpm
 libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm
-util-linux-2.37.4-10.cm2.x86_64.rpm
-util-linux-devel-2.37.4-10.cm2.x86_64.rpm
-util-linux-libs-2.37.4-10.cm2.x86_64.rpm
+util-linux-2.37.4-11.cm2.x86_64.rpm
+util-linux-devel-2.37.4-11.cm2.x86_64.rpm
+util-linux-libs-2.37.4-11.cm2.x86_64.rpm
 tar-1.34-3.cm2.x86_64.rpm
 xz-5.2.5-2.cm2.x86_64.rpm
 xz-devel-5.2.5-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -572,11 +572,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 texinfo-debuginfo-6.8-1.cm2.aarch64.rpm
 unzip-6.0-22.cm2.aarch64.rpm
 unzip-debuginfo-6.0-22.cm2.aarch64.rpm
-util-linux-2.37.4-10.cm2.aarch64.rpm
-util-linux-debuginfo-2.37.4-10.cm2.aarch64.rpm
-util-linux-devel-2.37.4-10.cm2.aarch64.rpm
-util-linux-lang-2.37.4-10.cm2.aarch64.rpm
-util-linux-libs-2.37.4-10.cm2.aarch64.rpm
+util-linux-2.37.4-11.cm2.aarch64.rpm
+util-linux-debuginfo-2.37.4-11.cm2.aarch64.rpm
+util-linux-devel-2.37.4-11.cm2.aarch64.rpm
+util-linux-lang-2.37.4-11.cm2.aarch64.rpm
+util-linux-libs-2.37.4-11.cm2.aarch64.rpm
 which-2.21-8.cm2.aarch64.rpm
 which-debuginfo-2.21-8.cm2.aarch64.rpm
 xz-5.2.5-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -578,11 +578,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 texinfo-debuginfo-6.8-1.cm2.x86_64.rpm
 unzip-6.0-22.cm2.x86_64.rpm
 unzip-debuginfo-6.0-22.cm2.x86_64.rpm
-util-linux-2.37.4-10.cm2.x86_64.rpm
-util-linux-debuginfo-2.37.4-10.cm2.x86_64.rpm
-util-linux-devel-2.37.4-10.cm2.x86_64.rpm
-util-linux-lang-2.37.4-10.cm2.x86_64.rpm
-util-linux-libs-2.37.4-10.cm2.x86_64.rpm
+util-linux-2.37.4-11.cm2.x86_64.rpm
+util-linux-debuginfo-2.37.4-11.cm2.x86_64.rpm
+util-linux-devel-2.37.4-11.cm2.x86_64.rpm
+util-linux-lang-2.37.4-11.cm2.x86_64.rpm
+util-linux-libs-2.37.4-11.cm2.x86_64.rpm
 which-2.21-8.cm2.x86_64.rpm
 which-debuginfo-2.21-8.cm2.x86_64.rpm
 xz-5.2.5-2.cm2.x86_64.rpm