On Mon Jul 6, 2026 at 12:56 PM CEST, Siva Kumar Balasubramanian wrote:
> Hello Yoann,
>
> Good call, I checked and the upgrade does comply with the stable policy,
> so I'll send it instead of the backport.
>
> 2.41.4 and 2.41.5 are point releases within the same 2.41 stable series
> and carry only bug fixes and security fixes, no new features and no
> API/ABI breaks. The v2.41.3...v2.41.5 range is mostly mount(8) TOCTOU /
> symlink hardening (including CVE-2026-27456), a libblkid integer overflow
> in parse_dos_extended() and a use-after-free in partition probing, plus
> the pam_lastlog2 libpam linking fix that this bug was about
> (c8d0af0421f6, in 2.41.5).
>
> A nice side effect: the upgrade lets us drop two backports that wrynose
> currently carries and that are now part of the release -
> 0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-... (upstream f55f9906, in 2.41.4)
> and the pam_lastlog2 backport from my v2.
>
> I built util-linux with pam enabled on top of 2.41.5 and confirmed
> pam_lastlog2.so now lists libpam.so.0 in its NEEDED entries, so
> YOCTO #16320 is fixed.
>
> I'll send the upgrade as a separate patch (this supersedes the
> pam_lastlog2 backport v1/v2).

Thanks!
Sounds good.

I will review the upgrade in the next review cycle.

Regards,

>
> Thanks!
> Siva
>
> On Mon, Jul 6, 2026 at 3:01 PM Yoann Congal <[email protected]> wrote:
>>
>> On Mon Jul 6, 2026 at 8:30 AM CEST, Siva Balasubramanian wrote:
>> > pam_lastlog2.so uses pam_syslog() and other libpam symbols but the
>> > autotools build did not link the module against libpam. With the
>> > linker default of --as-needed, libpam was discarded and did not end
>> > up in the module's ELF NEEDED entries. The module then fails to load
>> > via dlopen() in processes that do not themselves link libpam (e.g.
>> > systemd on recent Fedora, or weston on journald-based systems without
>> > syslog):
>> >
>> >   PAM unable to dlopen(/usr/lib/security/pam_lastlog2.so): undefined 
>> > symbol: pam_syslog
>> >   PAM adding faulty module: /usr/lib/security/pam_lastlog2.so
>> >
>> > Backport the upstream fix (in 2.41.5) that moves -lpam into LIBADD so
>> > it is placed after the object files and retained as a NEEDED entry.
>> > Against 2.41.3 only the LIBADD line needs changing.
>>
>> Hello,
>>
>> I quickly looked at util-linux v2.41.5 and it look like we can upgrade
>> instead of backporting:
>> https://github.com/util-linux/util-linux/compare/v2.41.3...v2.41.5
>>
>> Could you check and, if you think that the upgrade complies with the
>> stable policy, send the upgrade?
>>
>> Thanks!
>>
>> >
>> > [YOCTO #16320]
>> >
>> > Signed-off-by: Siva Balasubramanian <[email protected]>
>> > ---
>> > v2:
>> >  - Preserve the upstream commit message verbatim in the backported
>> >    patch and only append the backport info (Upstream-Status, dropped
>> >    LDFLAGS hunk note), per review feedback from Yoann Congal.
>> >  - Point Upstream-Status at the util-linux master commit
>> >    5683ed6320e00205146cbb3d0c76462733530eca (PR #4358). It is also in
>> >    the v2.41 stable branch as c8d0af0421f6 (released in 2.41.5) and is
>> >    already present in 2.42.x, so this backport targets the wrynose
>> >    branch (still on util-linux 2.41.3).
>> >  - Retag the subject for the wrynose branch.
>> >
>> >  meta/recipes-core/util-linux/util-linux.inc   |  1 +
>> >  ...ix-libpam-linking-in-autotools-build.patch | 43 +++++++++++++++++++
>> >  2 files changed, 44 insertions(+)
>> >  create mode 100644 
>> > meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
>> >
>> > diff --git a/meta/recipes-core/util-linux/util-linux.inc 
>> > b/meta/recipes-core/util-linux/util-linux.inc
>> > index 0235862666..3cdc1e2c0f 100644
>> > --- a/meta/recipes-core/util-linux/util-linux.inc
>> > +++ b/meta/recipes-core/util-linux/util-linux.inc
>> > @@ -21,6 +21,7 @@ SRC_URI = 
>> > "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
>> >             
>> > file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
>> >             file://0001-tests-script-Disable-size-option-test.patch \
>> >             
>> > file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \
>> > +           
>> > file://0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch \
>> >             "
>> >
>> >  SRC_URI[sha256sum] = 
>> > "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b"
>> > diff --git 
>> > a/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
>> >  
>> > b/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
>> > new file mode 100644
>> > index 0000000000..90532dde7a
>> > --- /dev/null
>> > +++ 
>> > b/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
>> > @@ -0,0 +1,43 @@
>> > +From 5683ed6320e00205146cbb3d0c76462733530eca Mon Sep 17 00:00:00 2001
>> > +From: Karel Zak <[email protected]>
>> > +Date: Tue, 19 May 2026 10:54:57 +0200
>> > +Subject: [PATCH] pam_lastlog2: fix libpam linking in autotools build
>> > +
>> > +Move -lpam from LDFLAGS to LIBADD. When -lpam is in LDFLAGS it
>> > +appears on the linker command line before object files, so the
>> > +--as-needed linker flag (default on Fedora) discards it before
>> > +seeing any undefined PAM symbols. This results in pam_lastlog2.so
>> > +missing libpam.so in its ELF NEEDED entries.
>> > +
>> > +The module then fails to load with dlopen() if the calling process
>> > +does not itself link against libpam (e.g., systemd in Fedora 44+):
>> > +
>> > +  PAM unable to dlopen(pam_lastlog2.so): undefined symbol: pam_syslog
>> > +
>> > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2453457
>> > +Signed-off-by: Karel Zak <[email protected]>
>> > +
>> > +Upstream-Status: Backport 
>> > [https://github.com/util-linux/util-linux/commit/5683ed6320e00205146cbb3d0c76462733530eca]
>> > +[Dropped the LDFLAGS hunk: the -lpam in LDFLAGS was introduced upstream
>> > + after 2.41.3 and is not present in this tree, so only the LIBADD hunk
>> > + applies here.]
>> > +Signed-off-by: Siva Balasubramanian <[email protected]>
>> > +---
>> > + pam_lastlog2/src/Makemodule.am | 2 +-
>> > + 1 file changed, 1 insertion(+), 1 deletion(-)
>> > +
>> > +diff --git a/pam_lastlog2/src/Makemodule.am 
>> > b/pam_lastlog2/src/Makemodule.am
>> > +index 40d597c58..876171e9f 100644
>> > +--- a/pam_lastlog2/src/Makemodule.am
>> > ++++ b/pam_lastlog2/src/Makemodule.am
>> > +@@ -11,7 +11,7 @@ pam_lastlog2_la_CFLAGS = \
>> > +      $(SOLIB_CFLAGS) \
>> > +      -I$(ul_liblastlog2_incdir)
>> > +
>> > +-pam_lastlog2_la_LIBADD = liblastlog2.la
>> > ++pam_lastlog2_la_LIBADD = liblastlog2.la -lpam
>> > +
>> > + pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -module -avoid-version -shared
>> > + if HAVE_VSCRIPT
>> > +--
>> > +2.43.0
>>
>>
>> --
>> Yoann Congal
>> Smile ECS
>>


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240263): 
https://lists.openembedded.org/g/openembedded-core/message/240263
Mute This Topic: https://lists.openembedded.org/mt/120135828/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to