* [Buildroot] [PATCH] package/util-linux: security bump to 2.41.5
@ 2026-06-18 7:54 Giulio Benetti
2026-06-18 19:38 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Giulio Benetti @ 2026-06-18 7:54 UTC (permalink / raw)
To: buildroot; +Cc: Giulio Benetti
Security fixes:
CVE-2026-53613 - mount(8) TOCTOU race on target path.
The SUID mount does not pin the mount target directory, allowing a
race between path resolution and the actual mount syscall. A local
attacker can swap an ancestor directory component between these
steps to redirect a mount to an arbitrary location.
Reported-by: Xinyao Hu
CVE-2026-53612 - mount(8) TOCTOU race on post-mount owner/mode change.
The X-mount.owner, X-mount.group, and X-mount.mode options use
path-based lchown()/chmod() after mounting. An attacker can swap
the target between mount and the ownership/mode change to gain
control of arbitrary files.
Reported-by: Xinyao Hu
CVE-2026-53614 - mount(8) SUID bypass via LIBMOUNT_FORCE_MOUNT2.
The environment variable LIBMOUNT_FORCE_MOUNT2 is not filtered
via safe_getenv() in SUID context. A local attacker can force
the legacy mount(2) code path, which uses a two-step bind+remount
or propagation sequence with a window where security flags (nosuid,
noexec, ...) are not yet applied.
Reported-by: Xinyao Hu
Full release notes: https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.5-ReleaseNotes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
package/util-linux/util-linux.hash | 2 +-
package/util-linux/util-linux.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/util-linux/util-linux.hash b/package/util-linux/util-linux.hash
index 5a5656212c..b6393d6ec0 100644
--- a/package/util-linux/util-linux.hash
+++ b/package/util-linux/util-linux.hash
@@ -1,5 +1,5 @@
# From https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.41/sha256sums.asc
-sha256 a8c213cc06048862602a42b2d299b340001f6d05c4407b549f3e03521df83688 util-linux-2.41.4.tar.xz
+sha256 f586e35d320ff537aab3ffeca37e9ecd482ccbe013590db4429a414d8aa6a728 util-linux-2.41.5.tar.xz
# License files, locally calculated
sha256 4c2db318192bda62f3f8fcf71488bb5e602ae4385eba281d711b46cc13a40bb3 README.licensing
sha256 527f738966ca396cd5a68c1509390de2a780c6b614d9ee57f7544a6161938ed1 Documentation/licenses/COPYING.BSD-2-Clause
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index fcce9a7dc8..20bdcc5c3f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -8,7 +8,7 @@
# util-linux-libs/util-linux-libs.mk needs to be updated accordingly as well.
UTIL_LINUX_VERSION_MAJOR = 2.41
-UTIL_LINUX_VERSION = $(UTIL_LINUX_VERSION_MAJOR).4
+UTIL_LINUX_VERSION = $(UTIL_LINUX_VERSION_MAJOR).5
UTIL_LINUX_SOURCE = util-linux-$(UTIL_LINUX_VERSION).tar.xz
UTIL_LINUX_SITE = $(BR2_KERNEL_MIRROR)/linux/utils/util-linux/v$(UTIL_LINUX_VERSION_MAJOR)
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/util-linux: security bump to 2.41.5
2026-06-18 7:54 [Buildroot] [PATCH] package/util-linux: security bump to 2.41.5 Giulio Benetti
@ 2026-06-18 19:38 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2026-06-18 19:38 UTC (permalink / raw)
To: Giulio Benetti; +Cc: buildroot
>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:
> Security fixes:
> CVE-2026-53613 - mount(8) TOCTOU race on target path.
> The SUID mount does not pin the mount target directory, allowing a
> race between path resolution and the actual mount syscall. A local
> attacker can swap an ancestor directory component between these
> steps to redirect a mount to an arbitrary location.
> Reported-by: Xinyao Hu
> CVE-2026-53612 - mount(8) TOCTOU race on post-mount owner/mode change.
> The X-mount.owner, X-mount.group, and X-mount.mode options use
> path-based lchown()/chmod() after mounting. An attacker can swap
> the target between mount and the ownership/mode change to gain
> control of arbitrary files.
> Reported-by: Xinyao Hu
> CVE-2026-53614 - mount(8) SUID bypass via LIBMOUNT_FORCE_MOUNT2.
> The environment variable LIBMOUNT_FORCE_MOUNT2 is not filtered
> via safe_getenv() in SUID context. A local attacker can force
> the legacy mount(2) code path, which uses a two-step bind+remount
> or propagation sequence with a window where security flags (nosuid,
> noexec, ...) are not yet applied.
> Reported-by: Xinyao Hu
> Full release notes: https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.5-ReleaseNotes
> Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-18 19:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-18 7:54 [Buildroot] [PATCH] package/util-linux: security bump to 2.41.5 Giulio Benetti
2026-06-18 19:38 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox