From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>
Pick patch from [1] as mentioned in Debian report in [2]. [1] https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984 [2] https://security-tracker.debian.org/tracker/CVE-2026-3184 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> Reviewed-by: Bruno VERNAY <[email protected]> --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/util-linux/CVE-2026-3184.patch | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 8380419634..961a7318aa 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -47,6 +47,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://CVE-2025-14104-01.patch \ file://CVE-2025-14104-02.patch \ file://CVE-2026-27456.patch \ + file://CVE-2026-3184.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch new file mode 100644 index 0000000000..933adb3250 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch @@ -0,0 +1,63 @@ +From bbd20203765f3d705d45b2f51201041ed94fc3a3 Mon Sep 17 00:00:00 2001 +From: Karel Zak <[email protected]> +Date: Thu, 19 Feb 2026 12:20:28 +0100 +Subject: [PATCH] login: use original FQDN for PAM_RHOST + +When login -h <remotehost> is invoked, init_remote_info() strips the +local domain suffix from the hostname (FQDN to short name) before +storing it in cxt->hostname. This truncated value is then used for +PAM_RHOST, which can bypass pam_access host deny rules that match on +the FQDN. + +Preserve the original -h hostname in a new cmd_hostname field and use +it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp +and logging unchanged. + +Note, the real-world impact is low -- login -h is only used by legacy +telnet/rlogin daemons, and exploitation requires FQDN-specific +pam_access rules on a system still using these obsolete services. + +CVE: CVE-2026-3184 +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984] + +Reported-by: Asim Viladi Oglu Manizada <[email protected]> +Signed-off-by: Karel Zak <[email protected]> +(cherry picked from commit 8b29aeb081e297e48c4c1ac53d88ae07e1331984) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + login-utils/login.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/login-utils/login.c b/login-utils/login.c +index 1812b9017..211968f30 100644 +--- a/login-utils/login.c ++++ b/login-utils/login.c +@@ -127,6 +127,7 @@ struct login_context { + char *thishost; /* this machine */ + char *thisdomain; /* this machine's domain */ + char *hostname; /* remote machine */ ++ char *cmd_hostname; /* remote machine as specified on command line */ + char hostaddress[16]; /* remote address */ + + pid_t pid; +@@ -894,7 +895,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) + + /* hostname & tty are either set to NULL or their correct values, + * depending on how much we know. */ +- rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname); ++ rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname); + if (is_pam_failure(rc)) + loginpam_err(pamh, rc); + +@@ -1231,6 +1232,8 @@ static void init_remote_info(struct login_context *cxt, char *remotehost) + + get_thishost(cxt, &domain); + ++ cxt->cmd_hostname = xstrdup(remotehost); ++ + if (domain && (p = strchr(remotehost, '.')) && + strcasecmp(p + 1, domain) == 0) + *p = '\0'; +-- +2.43.0 + -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237447): https://lists.openembedded.org/g/openembedded-core/message/237447 Mute This Topic: https://lists.openembedded.org/mt/119405890/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
