Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2228755/?format=api
{ "id": 2228755, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2228755/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260427101206.1362913-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.2/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260427101206.1362913-1-titouan.christophe@mind.be>", "list_archive_url": null, "date": "2026-04-27T10:12:06", "name": "[for,2025.02.x] package/util-linux: add patch for CVE-2026-27456", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "f0106b3239cf486bda4bc0f717b70b5b075b62b9", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/1.2/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260427101206.1362913-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 501618, "url": "http://patchwork.ozlabs.org/api/1.2/series/501618/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501618", "date": "2026-04-27T10:12:06", "name": "[for,2025.02.x] package/util-linux: add patch for CVE-2026-27456", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501618/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2228755/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2228755/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=VWwKA077;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g3zrp6G0nz1yJX\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Mon, 27 Apr 2026 20:12:25 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 0DB3B42FAB;\n\tMon, 27 Apr 2026 10:12:23 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tN6jB78KVysa; Mon, 27 Apr 2026 10:12:22 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id D81CC42FC4;\n\tMon, 27 Apr 2026 10:12:21 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id D9F291B8\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:20 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id BF87142616\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:20 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4f2Fhm0jPaIm for <buildroot@buildroot.org>;\n Mon, 27 Apr 2026 10:12:20 +0000 (UTC)", "from mail-wm1-x332.google.com (mail-wm1-x332.google.com\n [IPv6:2a00:1450:4864:20::332])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 301AC40137\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 10:12:18 +0000 (UTC)", "by mail-wm1-x332.google.com with SMTP id\n 5b1f17b1804b1-4890d945eb4so50052275e9.0\n for <buildroot@buildroot.org>; Mon, 27 Apr 2026 03:12:18 -0700 (PDT)", "from dragon.home ([2a02:a03f:73a7:c001:1291:d1ff:fe92:3b5a])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4891c08faffsm1031838765e9.1.2026.04.27.03.12.16\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 27 Apr 2026 03:12:16 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org D81CC42FC4", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 301AC40137" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777284741;\n\tbh=Qj2uKjXoOUcA1R+mh/mDKkWqns5kPGv6nTWxduwUEK8=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=VWwKA077eXC/VZhSUBOholcWXaJgS5u8LimsIzj1Mfm4JuBAfGxVqQ1R9W+2hJGXv\n\t gBNlhW32KV8BUsDiymbVcnPiQ1Ozr9prtBlEZ20Zibo7o+qRJoVyjh5gQX0lcOLcbS\n\t XLW4YMmKgWeZyol+j+k2YHV+hT+DS1S/26z4wGOebS6aMSD5bznAetICuoDA29lkXl\n\t vuT2CRb6tScg4TVRz/8JkEwxwoj1K/slzJGrYuwVQIznzOXSkfx+FanJ2wD/l/2iTi\n\t 0BdYg5tLsNsOpCS+95vZOrrAD65CbGGvotpjRRPlHeF7OrvTRf+Z6ycuZVr2jLXR+J\n\t NXFF4ZSd6RUOw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::332; helo=mail-wm1-x332.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 301AC40137", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777284737; x=1777889537;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=gh1TuTzalwe0KVSFK2HrZ5ie5wCcNnmTeb8ztEtGcV0=;\n b=qLImH63eRfUsD/tKXmjJ+MHDC9o1xpTSjNrWSnavYxvp8FUq7m/Gh4NdCVBkmRp4Dy\n vAgWKqCpJT01T/84g81QJxdeVeaeRBY3rDxpDCnF017bZ6wb4NTqRI+DaFb6vSJato9v\n /eWe8DUHMZxq0jCeB4L+/7RxOv61FlCSqVo/y8zIwgDGZ3BfSobnrjch45EA2B/G9DyO\n T2kAhRxUeXerJcn3D6eSkI8LHFEdily1OnsABKhCxvvIJgtTFQR4/6+Krh6n9LWnA1Vo\n NTGjWpQbrtXudrScqjpRsKywOUo4Hvr8IH5ZL4K1QsnbHyNx+C7ork60PzeJxLnW5Emr\n ZIIA==", "X-Gm-Message-State": "AOJu0YyWnqgXUAHDDlTKhszLF4YELYb/vz2kKn/rqo/zjG3H8DlGFl7M\n jAY3HV2uE+YabQIr3msaVG8q8Sh3iOjcT8966FCVhvL5ltTMXGetT4HCKMTIEd29lfkf02aANh6\n nL9rVEy4=", "X-Gm-Gg": "AeBDietumfaR201La4x9A2nZLOHmnSV+hZXnbF0/7LfZ6EISmy9qmujDtHVwA1ia1c3\n 47GlTdkNnQv4sybUpS6O/D/QGwWupsm/3QaHKjYKStCHX+7T7Mm6f0yq5G5b05CNbDYOhsH9oEN\n 8B/AKEDs7LUrWF86p2s0v9zEF/SQVCJ8mKbIoalnXy5SRxY/ZLEO0L3uVdOKfDAHoxT82aJDCj9\n a0mc80vzgY/t8qplH1XeT0GZCM1YHjbmom4kBS5fmDxjSvT1Md3vJkEKE923pRHvfsokeymVxQ0\n BGVI+TjRIiQneNMwLhLuYPKTHJ5vM/TWIK7ZSpgX1Dmats8RLrFqBQ4msZ8GN9R06sqOox8BhgZ\n 3K2X5A/Yld+K2LROt05L+kR6/vGn5FZyB/uypgfiGrEw6SurhgNvTyRbxyenkj/WXkePSR+eaVU\n tJqicFz++advJiBnyJy1kKGLEvYj6PrNxMOho6cy1tswMrZnc=", "X-Received": "by 2002:a05:600c:870e:b0:488:aa33:dc8f with SMTP id\n 5b1f17b1804b1-488fb84ffb8mr569508915e9.0.1777284736594;\n Mon, 27 Apr 2026 03:12:16 -0700 (PDT)", "To": "buildroot@buildroot.org", "Cc": "Giulio Benetti <giulio.benetti@benettiengineering.com>,\n thomas.perale@mind.be", "Date": "Mon, 27 Apr 2026 12:12:06 +0200", "Message-ID": "<20260427101206.1362913-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777284737; x=1777889537; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=gh1TuTzalwe0KVSFK2HrZ5ie5wCcNnmTeb8ztEtGcV0=;\n b=cDVvLX3sDn/ngm/Y1B1ckTEH/MzJDXPjp+vTDK0BYkER604uz2XjU6ThFLzKMCpQzW\n /PXdH/L/G/SWGBNi/GiI3wC0wFGMz+RbLZN2AE3zcmjUjN3kZzr8xib/ZPWvkNJSQnwR\n mFkc1FVM5X2OGFhLpGNhL14GkeFxhfglHEPKaH9QbgPlCNOmT0OUOLrCPvvtihUr+Cxw\n YoA6UB/KDBke4U0QWBdSzE/iEKc3fXKhRZB8eLV0TSTBa8mzpfbr3AS7dZ8S5n8BJFaa\n JOD8+WR129JmLHp9Nv3vCcaiaxR2bFd0RoPYAgB/BuTPCIe3luTVlvb8kwbUVKASB2Bg\n bHIg==", "X-Mailman-Original-Authentication-Results": [ "smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=cDVvLX3s" ], "Subject": "[Buildroot] [PATCH for 2025.02.x] package/util-linux: add patch for\n CVE-2026-27456", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n .../0006-add-loopdev-fl-nofollow.patch | 111 ++++++++++++++++++\n package/util-linux/util-linux.mk | 3 +\n 2 files changed, 114 insertions(+)\n create mode 100644 package/util-linux/0006-add-loopdev-fl-nofollow.patch", "diff": "diff --git a/package/util-linux/0006-add-loopdev-fl-nofollow.patch b/package/util-linux/0006-add-loopdev-fl-nofollow.patch\nnew file mode 100644\nindex 0000000000..21b1e2596c\n--- /dev/null\n+++ b/package/util-linux/0006-add-loopdev-fl-nofollow.patch\n@@ -0,0 +1,111 @@\n+From 5e390467b26a3cf3fecc04e1a0d482dff3162fc4 Mon Sep 17 00:00:00 2001\n+From: Karel Zak <kzak@redhat.com>\n+Date: Thu, 19 Feb 2026 13:59:46 +0100\n+Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks\n+\n+Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that\n+prevents symlink following in both path canonicalization and file open.\n+\n+When set:\n+- loopcxt_set_backing_file() uses strdup() instead of\n+ ul_canonicalize_path() (which calls realpath() and follows symlinks)\n+- loopcxt_setup_device() adds O_NOFOLLOW to open() flags\n+\n+The flag is set for non-root (restricted) mount operations in\n+libmount's loop device hook. This prevents a TOCTOU race condition\n+where an attacker could replace the backing file (specified in\n+/etc/fstab) with a symlink to an arbitrary root-owned file between\n+path resolution and open().\n+\n+Vulnerable Code Flow:\n+\n+ mount /mnt/point (non-root, SUID)\n+ mount.c: sanitize_paths() on user args (mountpoint only)\n+ mnt_context_mount()\n+ mnt_context_prepare_mount()\n+ mnt_context_apply_fstab() <-- source path from fstab\n+ hooks run at MNT_STAGE_PREP_SOURCE\n+ hook_loopdev.c: setup_loopdev()\n+ backing_file = fstab source path (\"/home/user/disk.img\")\n+ loopcxt_set_backing_file() <-- calls realpath() as ROOT\n+ ul_canonicalize_path() <-- follows symlinks!\n+ loopcxt_setup_device()\n+ open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW\n+\n+Two vulnerabilities in the path:\n+\n+1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses\n+ realpath() -- this follows symlinks as euid=0. If the attacker swaps\n+ the file to a symlink before this call, lc->filename becomes the\n+ resolved target path (e.g., /root/secret.img).\n+\n+2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even\n+ if canonicalization happened correctly, the file can be swapped to a\n+ symlink between canonicalize and open.\n+\n+Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g\n+Signed-off-by: Karel Zak <kzak@redhat.com>\n+\n+CVE: CVE-2026-27456\n+Upstream: https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4\n+[Titouan: Adapt patch to apply cleanly onto util-linux 2.40]\n+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n+---\n+ include/loopdev.h | 3 ++-\n+ lib/loopdev.c | 7 ++++++-\n+ libmount/src/hook_loopdev.c | 3 ++-\n+ 3 files changed, 10 insertions(+), 3 deletions(-)\n+\n+diff --git a/include/loopdev.h b/include/loopdev.h\n+index d10bf7f37..0f85dd254 100644\n+--- a/include/loopdev.h\n++++ b/include/loopdev.h\n+@@ -139,7 +139,8 @@ enum {\n+ \tLOOPDEV_FL_NOIOCTL\t= (1 << 6),\n+ \tLOOPDEV_FL_DEVSUBDIR\t= (1 << 7),\n+ \tLOOPDEV_FL_CONTROL\t= (1 << 8),\t/* system with /dev/loop-control */\n+-\tLOOPDEV_FL_SIZELIMIT\t= (1 << 9)\n++\tLOOPDEV_FL_SIZELIMIT\t= (1 << 9),\n++\tLOOPDEV_FL_NOFOLLOW\t= (1 << 10)\t/* O_NOFOLLOW, don't follow symlinks */\n+ };\n+ \n+ /*\n+diff --git a/lib/loopdev.c b/lib/loopdev.c\n+index c72fb2c40..3d2274693 100644\n+--- a/lib/loopdev.c\n++++ b/lib/loopdev.c\n+@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)\n+ \tif (!lc)\n+ \t\treturn -EINVAL;\n+ \n+-\tlc->filename = canonicalize_path(filename);\n++\tif (lc->flags & LOOPDEV_FL_NOFOLLOW)\n++\t\tlc->filename = strdup(filename);\n++\telse\n++\t\tlc->filename = ul_canonicalize_path(filename);\n+ \tif (!lc->filename)\n+ \t\treturn -errno;\n+ \n+@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)\n+ \n+ \tif (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)\n+ \t\tflags |= O_DIRECT;\n++\tif (lc->flags & LOOPDEV_FL_NOFOLLOW)\n++\t\tflags |= O_NOFOLLOW;\n+ \n+ \tif ((file_fd = open(lc->filename, mode | flags)) < 0) {\n+ \t\tif (mode != O_RDONLY && (errno == EROFS || errno == EACCES))\n+diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c\n+index 597b9339a..4df1915a6 100644\n+--- a/libmount/src/hook_loopdev.c\n++++ b/libmount/src/hook_loopdev.c\n+@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,\n+ \t}\n+ \n+ \tDBG(LOOP, ul_debugobj(cxt, \"not found; create a new loop device\"));\n+-\trc = loopcxt_init(&lc, 0);\n++\trc = loopcxt_init(&lc,\n++\t\t\tmnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);\n+ \tif (rc)\n+ \t\tgoto done_no_deinit;\n+ \tif (mnt_opt_has_value(loopopt)) {\ndiff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk\nindex 5d761e01c9..d30c26deb5 100644\n--- a/package/util-linux/util-linux.mk\n+++ b/package/util-linux/util-linux.mk\n@@ -36,6 +36,9 @@ UTIL_LINUX_CPE_ID_VENDOR = kernel\n # 0001-libmount-ifdef-statx-call.patch\n UTIL_LINUX_AUTORECONF = YES\n \n+# 0006-add-loopdev-fl-nofollow.patch\n+UTIL_LINUX_IGNORE_CVES += CVE-2026-27456\n+\n UTIL_LINUX_INSTALL_STAGING = YES\n UTIL_LINUX_DEPENDENCIES = \\\n \thost-pkgconf \\\n", "prefixes": [ "for", "2025.02.x" ] }