Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package util-linux for openSUSE:Factory checked in at 2026-03-04 20:59:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/util-linux (Old) and /work/SRC/openSUSE:Factory/.util-linux.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux" Wed Mar 4 20:59:30 2026 rev:306 rq:1335665 version:2.41.3 Changes: -------- --- /work/SRC/openSUSE:Factory/util-linux/util-linux.changes 2026-02-25 21:06:37.180424779 +0100 +++ /work/SRC/openSUSE:Factory/.util-linux.new.561/util-linux.changes 2026-03-04 20:59:33.658412700 +0100 @@ -1,0 +2,7 @@ +Sun Mar 1 20:00:51 UTC 2026 - Stanislav Brabec <[email protected]> + +- Use full hostname for PAM to ensure correct access control for + "login -h" (bsc#1258859, CVE-2026-3184, + util-linux-CVE-2026-3184.patch). + +------------------------------------------------------------------- New: ---- util-linux-CVE-2026-3184.patch ----------(New B)---------- New: "login -h" (bsc#1258859, CVE-2026-3184, util-linux-CVE-2026-3184.patch). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ util-linux.spec ++++++ --- /var/tmp/diff_new_pack.ULzlyf/_old 2026-03-04 20:59:35.370483364 +0100 +++ /var/tmp/diff_new_pack.ULzlyf/_new 2026-03-04 20:59:35.374483529 +0100 @@ -147,6 +147,8 @@ Patch22: util-linux-man-generated.patch # PATCH-FIX-OPENSUSE bsc#1222465: fdisk creates broken partition table Patch23: util-linux-bsc-1222465.patch +# PATCH-FIX-SECURITY util-linux-CVE-2026-3184.patch bsc1258859 CVE-2026-3184 -- Use full hostname for PAM to ensure correct access control for "login -h". +Patch24: util-linux-CVE-2026-3184.patch BuildRequires: audit-devel BuildRequires: bc BuildRequires: binutils-devel ++++++ util-linux-CVE-2026-3184.patch ++++++ >From 8b29aeb081e297e48c4c1ac53d88ae07e1331984 Mon Sep 17 00:00:00 2001 From: Karel Zak <[email protected]> Date: Thu, 19 Feb 2026 12:20:28 +0100 Subject: [PATCH] login: use original FQDN for PAM_RHOST When login -h <remotehost> is invoked, init_remote_info() strips the local domain suffix from the hostname (FQDN to short name) before storing it in cxt->hostname. This truncated value is then used for PAM_RHOST, which can bypass pam_access host deny rules that match on the FQDN. Preserve the original -h hostname in a new cmd_hostname field and use it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp and logging unchanged. Note, the real-world impact is low -- login -h is only used by legacy telnet/rlogin daemons, and exploitation requires FQDN-specific pam_access rules on a system still using these obsolete services. Reported-by: Asim Viladi Oglu Manizada <[email protected]> Signed-off-by: Karel Zak <[email protected]> --- login-utils/login.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/login-utils/login.c b/login-utils/login.c index 74c42f422..0990d5e8f 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -130,6 +130,7 @@ struct login_context { char *thishost; /* this machine */ char *thisdomain; /* this machine's domain */ char *hostname; /* remote machine */ + char *cmd_hostname; /* remote machine as specified on command line */ char hostaddress[16]; /* remote address */ pid_t pid; @@ -912,7 +913,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) /* hostname & tty are either set to NULL or their correct values, * depending on how much we know. */ - rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname); + rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname); if (is_pam_failure(rc)) loginpam_err(pamh, rc); @@ -1250,6 +1251,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost) get_thishost(cxt, &domain); + cxt->cmd_hostname = xstrdup(remotehost); + if (domain && (p = strchr(remotehost, '.')) && strcasecmp(p + 1, domain) == 0) *p = '\0'; -- 2.51.0
