Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Marcus Hoffmann <buildroot@bubu1.eu>
Cc: Thomas Perale <thomas.perale@mind.be>,
	buildroot@buildroot.org,
	Giulio Benetti <giulio.benetti@benettiengineering.com>
Subject: Re: [Buildroot] [PATCH 2025.02.x] package/util-linux: fix loopdev nofollow patch
Date: Mon, 11 May 2026 17:36:22 +0200	[thread overview]
Message-ID: <20260511153622.338710-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260507135455.980874-1-buildroot@bubu1.eu>

Hi Marcus,

Thanks for sending the proper fix, and sorry for the delay I was AFK last week.

This was tested with the improper options on 2025.02.x and the error went
unoticed. I added the minimal defconfig to your commit message:


    BR2_arm=y
    BR2_cortex_a7=y
    BR2_TOOLCHAIN_EXTERNAL=y
    BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
    BR2_INIT_NONE=y
    BR2_SYSTEM_BIN_SH_NONE=y
    BR2_PACKAGE_UTIL_LINUX_LOSETUP=y

It's now applied on 2025.02.x.

Best regards,
PERALE Thomas

In reply of:
> eeb65cf0f6753da6bc53197b971aec12ba647026 manually backported upstream
> util-linux security fix (util-linux: 5e390467b26a3cf3fecc04e1a0d482dff3162fc4)
> but didn't account for ul_canonicalize_path being named just canonicalize_path
> in 2.40.x. Use the upstream backported patch from the 2.40.x maintenance
> branch instead.
> 
> Fixes: eeb65cf0f6753da6bc53197b971aec12ba647026
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

> ---
>  .../util-linux/0006-add-loopdev-fl-nofollow.patch | 15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/package/util-linux/0006-add-loopdev-fl-nofollow.patch b/package/util-linux/0006-add-loopdev-fl-nofollow.patch
> index 21b1e2596c..15e92fa61e 100644
> --- a/package/util-linux/0006-add-loopdev-fl-nofollow.patch
> +++ b/package/util-linux/0006-add-loopdev-fl-nofollow.patch
> @@ -1,4 +1,4 @@
> -From 5e390467b26a3cf3fecc04e1a0d482dff3162fc4 Mon Sep 17 00:00:00 2001
> +From 0000ca30646d03f9dfbab9f62a5ce21a939c1018 Mon Sep 17 00:00:00 2001
>  From: Karel Zak <kzak@redhat.com>
>  Date: Thu, 19 Feb 2026 13:59:46 +0100
>  Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
> @@ -47,9 +47,8 @@ Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4
>  Signed-off-by: Karel Zak <kzak@redhat.com>
>  
>  CVE: CVE-2026-27456
> -Upstream: https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
> -[Titouan: Adapt patch to apply cleanly onto util-linux 2.40]
> -Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> +Upstream: https://github.com/util-linux/util-linux/commit/0000ca30646d03f9dfbab9f62a5ce21a939c1018
> +Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
>  ---
>   include/loopdev.h           | 3 ++-
>   lib/loopdev.c               | 7 ++++++-
> @@ -57,7 +56,7 @@ Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
>   3 files changed, 10 insertions(+), 3 deletions(-)
>  
>  diff --git a/include/loopdev.h b/include/loopdev.h
> -index d10bf7f37..0f85dd254 100644
> +index d10bf7f3765..0f85dd25456 100644
>  --- a/include/loopdev.h
>  +++ b/include/loopdev.h
>  @@ -139,7 +139,8 @@ enum {
> @@ -71,7 +70,7 @@ index d10bf7f37..0f85dd254 100644
>   
>   /*
>  diff --git a/lib/loopdev.c b/lib/loopdev.c
> -index c72fb2c40..3d2274693 100644
> +index c72fb2c404b..28fb489e402 100644
>  --- a/lib/loopdev.c
>  +++ b/lib/loopdev.c
>  @@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)
> @@ -82,7 +81,7 @@ index c72fb2c40..3d2274693 100644
>  +	if (lc->flags & LOOPDEV_FL_NOFOLLOW)
>  +		lc->filename = strdup(filename);
>  +	else
> -+		lc->filename = ul_canonicalize_path(filename);
> ++		lc->filename = canonicalize_path(filename);
>   	if (!lc->filename)
>   		return -errno;
>   
> @@ -96,7 +95,7 @@ index c72fb2c40..3d2274693 100644
>   	if ((file_fd = open(lc->filename, mode | flags)) < 0) {
>   		if (mode != O_RDONLY && (errno == EROFS || errno == EACCES))
>  diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c
> -index 597b9339a..4df1915a6 100644
> +index 597b9339ac0..4df1915a619 100644
>  --- a/libmount/src/hook_loopdev.c
>  +++ b/libmount/src/hook_loopdev.c
>  @@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

      reply	other threads:[~2026-05-11 15:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07 13:54 [Buildroot] [PATCH 2025.02.x] package/util-linux: fix loopdev nofollow patch Marcus Hoffmann via buildroot
2026-05-11 15:36 ` Thomas Perale via buildroot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511153622.338710-1-thomas.perale@mind.be \
    --to=buildroot@buildroot.org \
    --cc=buildroot@bubu1.eu \
    --cc=giulio.benetti@benettiengineering.com \
    --cc=thomas.perale@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox