Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2228755,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2228755/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260427101206.1362913-1-titouan.christophe@mind.be/",
    "project": {
        "id": 27,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/27/?format=api",
        "name": "Buildroot development",
        "link_name": "buildroot",
        "list_id": "buildroot.buildroot.org",
        "list_email": "buildroot@buildroot.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260427101206.1362913-1-titouan.christophe@mind.be>",
    "date": "2026-04-27T10:12:06",
    "name": "[for,2025.02.x] package/util-linux: add patch for CVE-2026-27456",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": false,
    "hash": "f0106b3239cf486bda4bc0f717b70b5b075b62b9",
    "submitter": {
        "id": 90763,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/90763/?format=api",
        "name": "Titouan Christophe",
        "email": "titouan.christophe@mind.be"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260427101206.1362913-1-titouan.christophe@mind.be/mbox/",
    "series": [
        {
            "id": 501618,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/501618/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501618",
            "date": "2026-04-27T10:12:06",
            "name": "[for,2025.02.x] package/util-linux: add patch for CVE-2026-27456",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/501618/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2228755/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2228755/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<buildroot-bounces@buildroot.org>",
        "X-Original-To": [
            "incoming-buildroot@patchwork.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Delivered-To": [
            "patchwork-incoming-buildroot@legolas.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=VWwKA077;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g3zrp6G0nz1yJX\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Mon, 27 Apr 2026 20:12:25 +1000 (AEST)",
            "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 0DB3B42FAB;\n\tMon, 27 Apr 2026 10:12:23 +0000 (UTC)",
            "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tN6jB78KVysa; Mon, 27 Apr 2026 10:12:22 +0000 (UTC)",
            "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id D81CC42FC4;\n\tMon, 27 Apr 2026 10:12:21 +0000 (UTC)",
            "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id D9F291B8\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:20 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id BF87142616\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:20 +0000 (UTC)",
            "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4f2Fhm0jPaIm for <buildroot@buildroot.org>;\n Mon, 27 Apr 2026 10:12:20 +0000 (UTC)",
            "from mail-wm1-x332.google.com (mail-wm1-x332.google.com\n [IPv6:2a00:1450:4864:20::332])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 301AC40137\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:18 +0000 (UTC)",
            "by mail-wm1-x332.google.com with SMTP id\n 5b1f17b1804b1-4890d945eb4so50052275e9.0\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 03:12:18 -0700 (PDT)",
            "from dragon.home ([2a02:a03f:73a7:c001:1291:d1ff:fe92:3b5a])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4891c08faffsm1031838765e9.1.2026.04.27.03.12.16\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 27 Apr 2026 03:12:16 -0700 (PDT)"
        ],
        "X-Virus-Scanned": [
            "amavis at osuosl.org",
            "amavis at osuosl.org"
        ],
        "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ",
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 smtp4.osuosl.org D81CC42FC4",
            "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 301AC40137"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777284741;\n\tbh=Qj2uKjXoOUcA1R+mh/mDKkWqns5kPGv6nTWxduwUEK8=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=VWwKA077eXC/VZhSUBOholcWXaJgS5u8LimsIzj1Mfm4JuBAfGxVqQ1R9W+2hJGXv\n\t gBNlhW32KV8BUsDiymbVcnPiQ1Ozr9prtBlEZ20Zibo7o+qRJoVyjh5gQX0lcOLcbS\n\t XLW4YMmKgWeZyol+j+k2YHV+hT+DS1S/26z4wGOebS6aMSD5bznAetICuoDA29lkXl\n\t vuT2CRb6tScg4TVRz/8JkEwxwoj1K/slzJGrYuwVQIznzOXSkfx+FanJ2wD/l/2iTi\n\t 0BdYg5tLsNsOpCS+95vZOrrAD65CbGGvotpjRRPlHeF7OrvTRf+Z6ycuZVr2jLXR+J\n\t NXFF4ZSd6RUOw==",
        "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::332; helo=mail-wm1-x332.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>",
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 301AC40137",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777284737; x=1777889537;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=gh1TuTzalwe0KVSFK2HrZ5ie5wCcNnmTeb8ztEtGcV0=;\n b=qLImH63eRfUsD/tKXmjJ+MHDC9o1xpTSjNrWSnavYxvp8FUq7m/Gh4NdCVBkmRp4Dy\n vAgWKqCpJT01T/84g81QJxdeVeaeRBY3rDxpDCnF017bZ6wb4NTqRI+DaFb6vSJato9v\n /eWe8DUHMZxq0jCeB4L+/7RxOv61FlCSqVo/y8zIwgDGZ3BfSobnrjch45EA2B/G9DyO\n T2kAhRxUeXerJcn3D6eSkI8LHFEdily1OnsABKhCxvvIJgtTFQR4/6+Krh6n9LWnA1Vo\n NTGjWpQbrtXudrScqjpRsKywOUo4Hvr8IH5ZL4K1QsnbHyNx+C7ork60PzeJxLnW5Emr\n ZIIA==",
        "X-Gm-Message-State": "AOJu0YyWnqgXUAHDDlTKhszLF4YELYb/vz2kKn/rqo/zjG3H8DlGFl7M\n jAY3HV2uE+YabQIr3msaVG8q8Sh3iOjcT8966FCVhvL5ltTMXGetT4HCKMTIEd29lfkf02aANh6\n nL9rVEy4=",
        "X-Gm-Gg": "AeBDietumfaR201La4x9A2nZLOHmnSV+hZXnbF0/7LfZ6EISmy9qmujDtHVwA1ia1c3\n 47GlTdkNnQv4sybUpS6O/D/QGwWupsm/3QaHKjYKStCHX+7T7Mm6f0yq5G5b05CNbDYOhsH9oEN\n 8B/AKEDs7LUrWF86p2s0v9zEF/SQVCJ8mKbIoalnXy5SRxY/ZLEO0L3uVdOKfDAHoxT82aJDCj9\n a0mc80vzgY/t8qplH1XeT0GZCM1YHjbmom4kBS5fmDxjSvT1Md3vJkEKE923pRHvfsokeymVxQ0\n BGVI+TjRIiQneNMwLhLuYPKTHJ5vM/TWIK7ZSpgX1Dmats8RLrFqBQ4msZ8GN9R06sqOox8BhgZ\n 3K2X5A/Yld+K2LROt05L+kR6/vGn5FZyB/uypgfiGrEw6SurhgNvTyRbxyenkj/WXkePSR+eaVU\n tJqicFz++advJiBnyJy1kKGLEvYj6PrNxMOho6cy1tswMrZnc=",
        "X-Received": "by 2002:a05:600c:870e:b0:488:aa33:dc8f with SMTP id\n 5b1f17b1804b1-488fb84ffb8mr569508915e9.0.1777284736594;\n Mon, 27 Apr 2026 03:12:16 -0700 (PDT)",
        "To": "buildroot@buildroot.org",
        "Cc": "Giulio Benetti <giulio.benetti@benettiengineering.com>,\n thomas.perale@mind.be",
        "Date": "Mon, 27 Apr 2026 12:12:06 +0200",
        "Message-ID": "<20260427101206.1362913-1-titouan.christophe@mind.be>",
        "X-Mailer": "git-send-email 2.53.0",
        "MIME-Version": "1.0",
        "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777284737; x=1777889537; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=gh1TuTzalwe0KVSFK2HrZ5ie5wCcNnmTeb8ztEtGcV0=;\n b=cDVvLX3sDn/ngm/Y1B1ckTEH/MzJDXPjp+vTDK0BYkER604uz2XjU6ThFLzKMCpQzW\n /PXdH/L/G/SWGBNi/GiI3wC0wFGMz+RbLZN2AE3zcmjUjN3kZzr8xib/ZPWvkNJSQnwR\n mFkc1FVM5X2OGFhLpGNhL14GkeFxhfglHEPKaH9QbgPlCNOmT0OUOLrCPvvtihUr+Cxw\n YoA6UB/KDBke4U0QWBdSzE/iEKc3fXKhRZB8eLV0TSTBa8mzpfbr3AS7dZ8S5n8BJFaa\n JOD8+WR129JmLHp9Nv3vCcaiaxR2bFd0RoPYAgB/BuTPCIe3luTVlvb8kwbUVKASB2Bg\n bHIg==",
        "X-Mailman-Original-Authentication-Results": [
            "smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be",
            "smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=cDVvLX3s"
        ],
        "Subject": "[Buildroot] [PATCH for 2025.02.x] package/util-linux: add patch for\n CVE-2026-27456",
        "X-BeenThere": "buildroot@buildroot.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>",
        "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>",
        "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>",
        "List-Post": "<mailto:buildroot@buildroot.org>",
        "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>",
        "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>",
        "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>",
        "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "buildroot-bounces@buildroot.org",
        "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>"
    },
    "content": "Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n .../0006-add-loopdev-fl-nofollow.patch        | 111 ++++++++++++++++++\n package/util-linux/util-linux.mk              |   3 +\n 2 files changed, 114 insertions(+)\n create mode 100644 package/util-linux/0006-add-loopdev-fl-nofollow.patch",
    "diff": "diff --git a/package/util-linux/0006-add-loopdev-fl-nofollow.patch b/package/util-linux/0006-add-loopdev-fl-nofollow.patch\nnew file mode 100644\nindex 0000000000..21b1e2596c\n--- /dev/null\n+++ b/package/util-linux/0006-add-loopdev-fl-nofollow.patch\n@@ -0,0 +1,111 @@\n+From 5e390467b26a3cf3fecc04e1a0d482dff3162fc4 Mon Sep 17 00:00:00 2001\n+From: Karel Zak <kzak@redhat.com>\n+Date: Thu, 19 Feb 2026 13:59:46 +0100\n+Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks\n+\n+Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that\n+prevents symlink following in both path canonicalization and file open.\n+\n+When set:\n+- loopcxt_set_backing_file() uses strdup() instead of\n+  ul_canonicalize_path() (which calls realpath() and follows symlinks)\n+- loopcxt_setup_device() adds O_NOFOLLOW to open() flags\n+\n+The flag is set for non-root (restricted) mount operations in\n+libmount's loop device hook. This prevents a TOCTOU race condition\n+where an attacker could replace the backing file (specified in\n+/etc/fstab) with a symlink to an arbitrary root-owned file between\n+path resolution and open().\n+\n+Vulnerable Code Flow:\n+\n+  mount /mnt/point (non-root, SUID)\n+    mount.c: sanitize_paths() on user args (mountpoint only)\n+    mnt_context_mount()\n+      mnt_context_prepare_mount()\n+        mnt_context_apply_fstab()           <-- source path from fstab\n+        hooks run at MNT_STAGE_PREP_SOURCE\n+          hook_loopdev.c: setup_loopdev()\n+            backing_file = fstab source path (\"/home/user/disk.img\")\n+            loopcxt_set_backing_file()       <-- calls realpath() as ROOT\n+              ul_canonicalize_path()         <-- follows symlinks!\n+            loopcxt_setup_device()\n+              open(lc->filename, O_RDWR|O_CLOEXEC)  <-- no O_NOFOLLOW\n+\n+Two vulnerabilities in the path:\n+\n+1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses\n+   realpath() -- this follows symlinks as euid=0. If the attacker swaps\n+   the file to a symlink before this call, lc->filename becomes the\n+   resolved target path (e.g., /root/secret.img).\n+\n+2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even\n+   if canonicalization happened correctly, the file can be swapped to a\n+   symlink between canonicalize and open.\n+\n+Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g\n+Signed-off-by: Karel Zak <kzak@redhat.com>\n+\n+CVE: CVE-2026-27456\n+Upstream: https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4\n+[Titouan: Adapt patch to apply cleanly onto util-linux 2.40]\n+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n+---\n+ include/loopdev.h           | 3 ++-\n+ lib/loopdev.c               | 7 ++++++-\n+ libmount/src/hook_loopdev.c | 3 ++-\n+ 3 files changed, 10 insertions(+), 3 deletions(-)\n+\n+diff --git a/include/loopdev.h b/include/loopdev.h\n+index d10bf7f37..0f85dd254 100644\n+--- a/include/loopdev.h\n++++ b/include/loopdev.h\n+@@ -139,7 +139,8 @@ enum {\n+ \tLOOPDEV_FL_NOIOCTL\t= (1 << 6),\n+ \tLOOPDEV_FL_DEVSUBDIR\t= (1 << 7),\n+ \tLOOPDEV_FL_CONTROL\t= (1 << 8),\t/* system with /dev/loop-control */\n+-\tLOOPDEV_FL_SIZELIMIT\t= (1 << 9)\n++\tLOOPDEV_FL_SIZELIMIT\t= (1 << 9),\n++\tLOOPDEV_FL_NOFOLLOW\t= (1 << 10)\t/* O_NOFOLLOW, don't follow symlinks */\n+ };\n+ \n+ /*\n+diff --git a/lib/loopdev.c b/lib/loopdev.c\n+index c72fb2c40..3d2274693 100644\n+--- a/lib/loopdev.c\n++++ b/lib/loopdev.c\n+@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)\n+ \tif (!lc)\n+ \t\treturn -EINVAL;\n+ \n+-\tlc->filename = canonicalize_path(filename);\n++\tif (lc->flags & LOOPDEV_FL_NOFOLLOW)\n++\t\tlc->filename = strdup(filename);\n++\telse\n++\t\tlc->filename = ul_canonicalize_path(filename);\n+ \tif (!lc->filename)\n+ \t\treturn -errno;\n+ \n+@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)\n+ \n+ \tif (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)\n+ \t\tflags |= O_DIRECT;\n++\tif (lc->flags & LOOPDEV_FL_NOFOLLOW)\n++\t\tflags |= O_NOFOLLOW;\n+ \n+ \tif ((file_fd = open(lc->filename, mode | flags)) < 0) {\n+ \t\tif (mode != O_RDONLY && (errno == EROFS || errno == EACCES))\n+diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c\n+index 597b9339a..4df1915a6 100644\n+--- a/libmount/src/hook_loopdev.c\n++++ b/libmount/src/hook_loopdev.c\n+@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,\n+ \t}\n+ \n+ \tDBG(LOOP, ul_debugobj(cxt, \"not found; create a new loop device\"));\n+-\trc = loopcxt_init(&lc, 0);\n++\trc = loopcxt_init(&lc,\n++\t\t\tmnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);\n+ \tif (rc)\n+ \t\tgoto done_no_deinit;\n+ \tif (mnt_opt_has_value(loopopt)) {\ndiff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk\nindex 5d761e01c9..d30c26deb5 100644\n--- a/package/util-linux/util-linux.mk\n+++ b/package/util-linux/util-linux.mk\n@@ -36,6 +36,9 @@ UTIL_LINUX_CPE_ID_VENDOR = kernel\n # 0001-libmount-ifdef-statx-call.patch\n UTIL_LINUX_AUTORECONF = YES\n \n+# 0006-add-loopdev-fl-nofollow.patch\n+UTIL_LINUX_IGNORE_CVES += CVE-2026-27456\n+\n UTIL_LINUX_INSTALL_STAGING = YES\n UTIL_LINUX_DEPENDENCIES = \\\n \thost-pkgconf \\\n",
    "prefixes": [
        "for",
        "2025.02.x"
    ]
}