Re: [OE-core][scarthgap][PATCH 2/2] util-linux: Fix CVE-2026-3184

Tue, 09 Jun 2026 08:31:07 -0700 

Hello Hugo

This patch seems to also be needed in master and wrynose, but I could
not find a submission for these branches

please submit for those two and then ping this mail so we can continue

(note that the other patch in the serie is applied correctly, so I will
continue to review it independentlya)

Regards
Jeremy Rosen

On Wed May 20, 2026 at 12:59 PM CEST, Hugo Simeliere via lists.openembedded.org 
wrote:
> From: "Hugo SIMELIERE (Schneider Electric)" 
> <[email protected]>
>
> Pick patch from [1] as mentioned in Debian report in [2].
>
> [1] 
> https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984
> [2] https://security-tracker.debian.org/tracker/CVE-2026-3184
>
> Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
> <[email protected]>
> Reviewed-by: Bruno VERNAY <[email protected]>
> ---
>  meta/recipes-core/util-linux/util-linux.inc   |  1 +
>  .../util-linux/util-linux/CVE-2026-3184.patch | 63 +++++++++++++++++++
>  2 files changed, 64 insertions(+)
>  create mode 100644 
> meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch
>
> diff --git a/meta/recipes-core/util-linux/util-linux.inc 
> b/meta/recipes-core/util-linux/util-linux.inc
> index 8380419634..961a7318aa 100644
> --- a/meta/recipes-core/util-linux/util-linux.inc
> +++ b/meta/recipes-core/util-linux/util-linux.inc
> @@ -47,6 +47,7 @@ SRC_URI = 
> "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
>             file://CVE-2025-14104-01.patch \
>             file://CVE-2025-14104-02.patch \
>             file://CVE-2026-27456.patch \
> +           file://CVE-2026-3184.patch \
>             "
>  
>  SRC_URI[sha256sum] = 
> "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
> diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch 
> b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch
> new file mode 100644
> index 0000000000..933adb3250
> --- /dev/null
> +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-3184.patch
> @@ -0,0 +1,63 @@
> +From bbd20203765f3d705d45b2f51201041ed94fc3a3 Mon Sep 17 00:00:00 2001
> +From: Karel Zak <[email protected]>
> +Date: Thu, 19 Feb 2026 12:20:28 +0100
> +Subject: [PATCH] login: use original FQDN for PAM_RHOST
> +
> +When login -h <remotehost> is invoked, init_remote_info() strips the
> +local domain suffix from the hostname (FQDN to short name) before
> +storing it in cxt->hostname. This truncated value is then used for
> +PAM_RHOST, which can bypass pam_access host deny rules that match on
> +the FQDN.
> +
> +Preserve the original -h hostname in a new cmd_hostname field and use
> +it for PAM_RHOST, while keeping the truncated hostname for utmp/wtmp
> +and logging unchanged.
> +
> +Note, the real-world impact is low -- login -h is only used by legacy
> +telnet/rlogin daemons, and exploitation requires FQDN-specific
> +pam_access rules on a system still using these obsolete services.
> +
> +CVE: CVE-2026-3184
> +Upstream-Status: Backport 
> [https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984]
> +
> +Reported-by: Asim Viladi Oglu Manizada <[email protected]>
> +Signed-off-by: Karel Zak <[email protected]>
> +(cherry picked from commit 8b29aeb081e297e48c4c1ac53d88ae07e1331984)
> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
> <[email protected]>
> +---
> + login-utils/login.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/login-utils/login.c b/login-utils/login.c
> +index 1812b9017..211968f30 100644
> +--- a/login-utils/login.c
> ++++ b/login-utils/login.c
> +@@ -127,6 +127,7 @@ struct login_context {
> +     char            *thishost;              /* this machine */
> +     char            *thisdomain;            /* this machine's domain */
> +     char            *hostname;              /* remote machine */
> ++    char            *cmd_hostname;          /* remote machine as specified 
> on command line */
> +     char            hostaddress[16];        /* remote address */
> + 
> +     pid_t           pid;
> +@@ -894,7 +895,7 @@ static pam_handle_t *init_loginpam(struct login_context 
> *cxt)
> + 
> +     /* hostname & tty are either set to NULL or their correct values,
> +      * depending on how much we know. */
> +-    rc = pam_set_item(pamh, PAM_RHOST, cxt->hostname);
> ++    rc = pam_set_item(pamh, PAM_RHOST, cxt->cmd_hostname);
> +     if (is_pam_failure(rc))
> +             loginpam_err(pamh, rc);
> + 
> +@@ -1231,6 +1232,8 @@ static void init_remote_info(struct login_context 
> *cxt, char *remotehost)
> + 
> +     get_thishost(cxt, &domain);
> + 
> ++    cxt->cmd_hostname = xstrdup(remotehost);
> ++
> +     if (domain && (p = strchr(remotehost, '.')) &&
> +         strcasecmp(p + 1, domain) == 0)
> +             *p = '\0';
> +-- 
> +2.43.0
> +


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238300): 
https://lists.openembedded.org/g/openembedded-core/message/238300
Mute This Topic: https://lists.openembedded.org/mt/119405890/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to