* [PATCH 4/5] xz: fix CVE-2026-34743
2026-04-20 19:07 [PATCH 1/5] bluez5: mark two CVEs as being in the wrong product Ross Burton
2026-04-20 19:07 ` [PATCH 2/5] systemd: mark several CVEs as fixed Ross Burton
2026-04-20 19:07 ` [PATCH 3/5] xz: " Ross Burton
@ 2026-04-20 19:07 ` Ross Burton
2026-04-20 19:07 ` [PATCH 5/5] util-linux: fix CVE-2026-27456 Ross Burton
3 siblings, 0 replies; 5+ messages in thread
From: Ross Burton @ 2026-04-20 19:07 UTC (permalink / raw)
To: openembedded-core
Backport a fix from upstream to resolve CVE-2026-34743:
Prior to version 5.8.3, if lzma_index_decoder() was used to decode an
Index that contained no Records, the resulting lzma_index was left in
a state where where a subsequent lzma_index_append() would allocate
too little memory, and a buffer overflow would occur.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
...buffer-overflow-in-lzma_index_append.patch | 66 +++++++++++++++++++
meta/recipes-extended/xz/xz_5.8.2.bb | 1 +
2 files changed, 67 insertions(+)
create mode 100644 meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
diff --git a/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch b/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
new file mode 100644
index 00000000000..d3918233eab
--- /dev/null
+++ b/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
@@ -0,0 +1,66 @@
+From c8c22869e780ff57c96b46939c3d79ff99395f87 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 29 Mar 2026 19:11:21 +0300
+Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()
+
+If lzma_index_decoder() was used to decode an Index that contained no
+Records, the resulting lzma_index had an invalid internal "prealloc"
+value. If lzma_index_append() was called on this lzma_index, too
+little memory would be allocated and a buffer overflow would occur.
+
+While this combination of the API functions is meant to work, in the
+real-world apps this call sequence is rare or might not exist at all.
+
+This bug is older than xz 5.0.0, so all stable releases are affected.
+
+Reported-by: GitHub user christos-spearbit
+
+CVE: CVE-2026-34743
+Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/liblzma/common/index.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index 6add6a68..c4aadb9b 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
+ if (records > PREALLOC_MAX)
+ records = PREALLOC_MAX;
+
++ // If index_decoder.c calls us with records == 0, it's decoding
++ // an Index that has no Records. In that case the decoder won't call
++ // lzma_index_append() at all, and i->prealloc isn't used during
++ // the Index decoding either.
++ //
++ // Normally the first lzma_index_append() call from the Index decoder
++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
++ // lzma_index_append() isn't called and the resetting of prealloc
++ // won't occur either. Thus, if records == 0, use the default value
++ // INDEX_GROUP_SIZE instead.
++ //
++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
++ // didn't have this check and could set i->prealloc = 0, which would
++ // result in a buffer overflow if the application called
++ // lzma_index_append() after decoding an empty Index. Appending
++ // Records after decoding an Index is a rare thing to do, but
++ // it is supposed to work.
++ if (records == 0)
++ records = INDEX_GROUP_SIZE;
++
+ i->prealloc = (size_t)(records);
+ return;
+ }
+@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
+ ++g->last;
+ } else {
+ // We need to allocate a new group.
++ assert(i->prealloc > 0);
+ g = lzma_alloc(sizeof(index_group)
+ + i->prealloc * sizeof(index_record),
+ allocator);
+--
+2.43.0
+
diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb
index 7ada44d9f58..15eaa7a52f8 100644
--- a/meta/recipes-extended/xz/xz_5.8.2.bb
+++ b/meta/recipes-extended/xz/xz_5.8.2.bb
@@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d38d562f6112174de93a9677682231b2 \
"
SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${PV}.tar.gz \
+ file://0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch \
file://run-ptest \
"
SRC_URI[sha256sum] = "ce09c50a5962786b83e5da389c90dd2c15ecd0980a258dd01f70f9e7ce58a8f1"
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 5/5] util-linux: fix CVE-2026-27456
2026-04-20 19:07 [PATCH 1/5] bluez5: mark two CVEs as being in the wrong product Ross Burton
` (2 preceding siblings ...)
2026-04-20 19:07 ` [PATCH 4/5] xz: fix CVE-2026-34743 Ross Burton
@ 2026-04-20 19:07 ` Ross Burton
3 siblings, 0 replies; 5+ messages in thread
From: Ross Burton @ 2026-04-20 19:07 UTC (permalink / raw)
To: openembedded-core
Backport a patch from upstream to fix CVE-2026-27456:
Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use)
vulnerability has been identified in the SUID binary /usr/bin/mount
from util-linux. The mount binary, when setting up loop devices,
validates the source file path with user privileges via fork() +
setuid() + realpath(), but subsequently re-canonicalizes and opens it
with root privileges (euid=0) without verifying that the path has not
been replaced between both operations. Neither O_NOFOLLOW, nor inode
comparison, nor post-open fstat() are employed. This allows a local
unprivileged user to replace the source file with a symlink pointing
to any root-owned file or device during the race window, causing the
SUID binary to open and mount it as root. Exploitation requires an
/etc/fstab entry with user,loop options whose path points to a
directory where the attacker has write permission, and that
/usr/bin/mount has the SUID bit set (the default configuration on
virtually all Linux distributions). The impact is unauthorized read
access to root-protected files and block devices, including backup
images, disk volumes, and any file containing a valid filesystem.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-core/util-linux/util-linux.inc | 1 +
...DEV_FL_NOFOLLOW-to-prevent-symlink-a.patch | 114 ++++++++++++++++++
2 files changed, 115 insertions(+)
create mode 100644 meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index deb9bfd0644..02358626669 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -20,6 +20,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://0001-lsfd-mkfds-foreign-sockets-skip-when-lacking-sock_di.patch \
file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
file://0001-tests-script-Disable-size-option-test.patch \
+ file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \
"
SRC_URI[sha256sum] = "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b"
diff --git a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
new file mode 100644
index 00000000000..0951c9f5fbe
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
@@ -0,0 +1,114 @@
+From f55f9906b4f6eeb2b4a4120317df9de935253c10 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Feb 2026 13:59:46 +0100
+Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
+
+Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that
+prevents symlink following in both path canonicalization and file open.
+
+When set:
+- loopcxt_set_backing_file() uses strdup() instead of
+ ul_canonicalize_path() (which calls realpath() and follows symlinks)
+- loopcxt_setup_device() adds O_NOFOLLOW to open() flags
+
+The flag is set for non-root (restricted) mount operations in
+libmount's loop device hook. This prevents a TOCTOU race condition
+where an attacker could replace the backing file (specified in
+/etc/fstab) with a symlink to an arbitrary root-owned file between
+path resolution and open().
+
+Vulnerable Code Flow:
+
+ mount /mnt/point (non-root, SUID)
+ mount.c: sanitize_paths() on user args (mountpoint only)
+ mnt_context_mount()
+ mnt_context_prepare_mount()
+ mnt_context_apply_fstab() <-- source path from fstab
+ hooks run at MNT_STAGE_PREP_SOURCE
+ hook_loopdev.c: setup_loopdev()
+ backing_file = fstab source path ("/home/user/disk.img")
+ loopcxt_set_backing_file() <-- calls realpath() as ROOT
+ ul_canonicalize_path() <-- follows symlinks!
+ loopcxt_setup_device()
+ open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW
+
+Two vulnerabilities in the path:
+
+1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses
+ realpath() -- this follows symlinks as euid=0. If the attacker swaps
+ the file to a symlink before this call, lc->filename becomes the
+ resolved target path (e.g., /root/secret.img).
+
+2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even
+ if canonicalization happened correctly, the file can be swapped to a
+ symlink between canonicalize and open.
+
+Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4)
+
+CVE: CVE-2026-27456
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ include/loopdev.h | 3 ++-
+ lib/loopdev.c | 7 ++++++-
+ libmount/src/hook_loopdev.c | 3 ++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/include/loopdev.h b/include/loopdev.h
+index e5ec1c98a..6bdb1393a 100644
+--- a/include/loopdev.h
++++ b/include/loopdev.h
+@@ -140,7 +140,8 @@ enum {
+ LOOPDEV_FL_NOIOCTL = (1 << 6),
+ LOOPDEV_FL_DEVSUBDIR = (1 << 7),
+ LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */
+- LOOPDEV_FL_SIZELIMIT = (1 << 9)
++ LOOPDEV_FL_SIZELIMIT = (1 << 9),
++ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */
+ };
+
+ /*
+diff --git a/lib/loopdev.c b/lib/loopdev.c
+index 2359bf781..76685be70 100644
+--- a/lib/loopdev.c
++++ b/lib/loopdev.c
+@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)
+ if (!lc)
+ return -EINVAL;
+
+- lc->filename = canonicalize_path(filename);
++ if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++ lc->filename = strdup(filename);
++ else
++ lc->filename = canonicalize_path(filename);
+ if (!lc->filename)
+ return -errno;
+
+@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)
+
+ if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)
+ flags |= O_DIRECT;
++ if (lc->flags & LOOPDEV_FL_NOFOLLOW)
++ flags |= O_NOFOLLOW;
+
+ if ((file_fd = open(lc->filename, mode | flags)) < 0) {
+ if (mode != O_RDONLY && (errno == EROFS || errno == EACCES))
+diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c
+index 444d69d6f..34351116c 100644
+--- a/libmount/src/hook_loopdev.c
++++ b/libmount/src/hook_loopdev.c
+@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,
+ }
+
+ DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device"));
+- rc = loopcxt_init(&lc, 0);
++ rc = loopcxt_init(&lc,
++ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);
+ if (rc)
+ goto done_no_deinit;
+ if (mnt_opt_has_value(loopopt)) {
+--
+2.43.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread