From 063c15a5595eeb572c2953c513a09821d5bab994 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 1 Jul 2026 04:37:20 +0000 Subject: [PATCH] Patch util-linux for CVE-2026-13595 --- SPECS/util-linux/CVE-2026-13595.patch | 148 ++++++++++++++++++ SPECS/util-linux/util-linux.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 6 +- .../manifests/package/pkggen_core_x86_64.txt | 6 +- .../manifests/package/toolchain_aarch64.txt | 12 +- .../manifests/package/toolchain_x86_64.txt | 12 +- 6 files changed, 171 insertions(+), 19 deletions(-) create mode 100644 SPECS/util-linux/CVE-2026-13595.patch diff --git a/SPECS/util-linux/CVE-2026-13595.patch b/SPECS/util-linux/CVE-2026-13595.patch new file mode 100644 index 00000000000..c0ef4dc9bb9 --- /dev/null +++ b/SPECS/util-linux/CVE-2026-13595.patch @@ -0,0 +1,148 @@ +From c0286d95b1bfff0fd79f9b4c2e4ea017a2adf010 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 7 May 2026 12:50:48 +0200 +Subject: [PATCH] libblkid: fix use-after-free in nested partition probing + +The partitions list stores partitions in a contiguous array grown by +reallocarray(). When the array is reallocated to a new address, all +existing blkid_partition pointers (tab->parent, ls->next_parent, local +parent variables in nested probers) become dangling. + +Fix this by changing the storage from an array of structs to an array +of pointers, where each partition is individually allocated via +calloc(). This makes all blkid_partition pointers stable across +reallocations -- only the pointer array itself may move, which is +harmless since no code caches pointers into the pointer array. + +This eliminates the need for callers to re-fetch parent pointers after +every blkid_partlist_add_partition() call. + +Reported-by: Thai Duong +Signed-off-by: Karel Zak +(cherry picked from commit c0186f14fbdb02f64c8e0ba701ce727ea764ff4c) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/util-linux/util-linux/commit/132d9c8aa15a8efd0a23d8ca7ed8b98f365e84fa.patch +--- + libblkid/src/partitions/partitions.c | 34 +++++++++++++++++----------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +diff --git a/libblkid/src/partitions/partitions.c b/libblkid/src/partitions/partitions.c +index e096cf8..506786c 100644 +--- a/libblkid/src/partitions/partitions.c ++++ b/libblkid/src/partitions/partitions.c +@@ -197,7 +197,7 @@ struct blkid_struct_partlist { + + int nparts; /* number of partitions */ + int nparts_max; /* max.number of partitions */ +- blkid_partition parts; /* array of partitions */ ++ blkid_partition *parts; /* array of pointers to partitions */ + + struct list_head l_tabs; /* list of partition tables */ + }; +@@ -356,13 +356,16 @@ static void reset_partlist(blkid_partlist ls) + free_parttables(ls); + + if (ls->next_partno) { +- /* already initialized - reset */ +- int tmp_nparts = ls->nparts_max; +- blkid_partition tmp_parts = ls->parts; ++ /* already initialized - free individually allocated partitions */ ++ int i, tmp_nparts_max = ls->nparts_max; ++ blkid_partition *tmp_parts = ls->parts; ++ ++ for (i = 0; i < ls->nparts; i++) ++ free(ls->parts[i]); + + memset(ls, 0, sizeof(struct blkid_struct_partlist)); + +- ls->nparts_max = tmp_nparts; ++ ls->nparts_max = tmp_nparts_max; + ls->parts = tmp_parts; + } + +@@ -397,6 +400,7 @@ static void partitions_free_data(blkid_probe pr __attribute__((__unused__)), + void *data) + { + blkid_partlist ls = (blkid_partlist) data; ++ int i; + + if (!ls) + return; +@@ -404,6 +408,8 @@ static void partitions_free_data(blkid_probe pr __attribute__((__unused__)), + free_parttables(ls); + + /* deallocate partitions and partlist */ ++ for (i = 0; i < ls->nparts; i++) ++ free(ls->parts[i]); + free(ls->parts); + free(ls); + } +@@ -437,15 +443,17 @@ static blkid_partition new_partition(blkid_partlist ls, blkid_parttable tab) + * generic Linux machine -- let start with 32 partitions. + */ + void *tmp = reallocarray(ls->parts, ls->nparts_max + 32, +- sizeof(struct blkid_struct_partition)); ++ sizeof(blkid_partition)); + if (!tmp) + return NULL; + ls->parts = tmp; + ls->nparts_max += 32; + } + +- par = &ls->parts[ls->nparts++]; +- memset(par, 0, sizeof(struct blkid_struct_partition)); ++ par = calloc(1, sizeof(struct blkid_struct_partition)); ++ if (!par) ++ return NULL; ++ ls->parts[ls->nparts++] = par; + + ref_parttable(tab); + par->tab = tab; +@@ -850,7 +858,7 @@ int blkid_probe_is_covered_by_pt(blkid_probe pr, + + /* check if the partition table fits into the device */ + for (i = 0; i < nparts; i++) { +- blkid_partition par = &ls->parts[i]; ++ blkid_partition par = ls->parts[i]; + + if (par->start + par->size > (pr->size >> 9)) { + DBG(LOWPROBE, ul_debug("partition #%d overflows " +@@ -862,7 +870,7 @@ int blkid_probe_is_covered_by_pt(blkid_probe pr, + + /* check if the requested area is covered by PT */ + for (i = 0; i < nparts; i++) { +- blkid_partition par = &ls->parts[i]; ++ blkid_partition par = ls->parts[i]; + + if (start >= par->start && end <= par->start + par->size) { + rc = 1; +@@ -961,7 +969,7 @@ blkid_partition blkid_partlist_get_partition(blkid_partlist ls, int n) + if (n < 0 || n >= ls->nparts) + return NULL; + +- return &ls->parts[n]; ++ return ls->parts[n]; + } + + blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start) +@@ -1073,7 +1081,7 @@ blkid_partition blkid_partlist_devno_to_partition(blkid_partlist ls, dev_t devno + * and an entry in partition table. + */ + for (i = 0; i < ls->nparts; i++) { +- blkid_partition par = &ls->parts[i]; ++ blkid_partition par = ls->parts[i]; + + if (partno != blkid_partition_get_partno(par)) + continue; +@@ -1089,7 +1097,7 @@ blkid_partition blkid_partlist_devno_to_partition(blkid_partlist ls, dev_t devno + DBG(LOWPROBE, ul_debug("searching by offset/size")); + + for (i = 0; i < ls->nparts; i++) { +- blkid_partition par = &ls->parts[i]; ++ blkid_partition par = ls->parts[i]; + + if ((uint64_t)blkid_partition_get_start(par) == start && + (uint64_t)blkid_partition_get_size(par) == size) +-- +2.45.4 + diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index 1213eab7fc4..186c6331e66 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -5,7 +5,7 @@ Summary: Utilities for file systems, consoles, partitions, and messages Name: util-linux Version: 2.40.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -19,6 +19,7 @@ Source4: su-l Patch0: CVE-2025-14104.patch Patch1: CVE-2026-27456.patch Patch2: CVE-2026-3184.patch +Patch3: CVE-2026-13595.patch BuildRequires: audit-devel BuildRequires: libcap-ng-devel BuildRequires: libselinux-devel @@ -174,6 +175,9 @@ rm -rf %{buildroot}/lib/systemd/system %{_mandir}/man3/* %changelog +* Wed Jul 01 2026 Azure Linux Security Servicing Account - 2.40.2-5 +- Patch for CVE-2026-13595 + * Wed Apr 08 2026 Azure Linux Security Servicing Account - 2.40.2-4 - Patch for CVE-2026-3184, CVE-2026-27456 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 6b170b51129..bf0016895b9 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm libcap-ng-0.8.4-1.azl3.aarch64.rpm libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm -util-linux-2.40.2-4.azl3.aarch64.rpm -util-linux-devel-2.40.2-4.azl3.aarch64.rpm -util-linux-libs-2.40.2-4.azl3.aarch64.rpm +util-linux-2.40.2-5.azl3.aarch64.rpm +util-linux-devel-2.40.2-5.azl3.aarch64.rpm +util-linux-libs-2.40.2-5.azl3.aarch64.rpm tar-1.35-2.azl3.aarch64.rpm xz-5.4.4-3.azl3.aarch64.rpm xz-devel-5.4.4-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 421b5ed29a5..251946b92ab 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm libcap-ng-0.8.4-1.azl3.x86_64.rpm libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm -util-linux-2.40.2-4.azl3.x86_64.rpm -util-linux-devel-2.40.2-4.azl3.x86_64.rpm -util-linux-libs-2.40.2-4.azl3.x86_64.rpm +util-linux-2.40.2-5.azl3.x86_64.rpm +util-linux-devel-2.40.2-5.azl3.x86_64.rpm +util-linux-libs-2.40.2-5.azl3.x86_64.rpm tar-1.35-2.azl3.x86_64.rpm xz-5.4.4-3.azl3.x86_64.rpm xz-devel-5.4.4-3.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 4819201c7d8..1ddd188670f 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -542,7 +542,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm -python3-libmount-2.40.2-4.azl3.aarch64.rpm +python3-libmount-2.40.2-5.azl3.aarch64.rpm python3-libs-3.12.9-13.azl3.aarch64.rpm python3-libxml2-2.11.5-10.azl3.aarch64.rpm python3-lxml-4.9.3-2.azl3.aarch64.rpm @@ -599,11 +599,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm unzip-6.0-22.azl3.aarch64.rpm unzip-debuginfo-6.0-22.azl3.aarch64.rpm -util-linux-2.40.2-4.azl3.aarch64.rpm -util-linux-debuginfo-2.40.2-4.azl3.aarch64.rpm -util-linux-devel-2.40.2-4.azl3.aarch64.rpm -util-linux-lang-2.40.2-4.azl3.aarch64.rpm -util-linux-libs-2.40.2-4.azl3.aarch64.rpm +util-linux-2.40.2-5.azl3.aarch64.rpm +util-linux-debuginfo-2.40.2-5.azl3.aarch64.rpm +util-linux-devel-2.40.2-5.azl3.aarch64.rpm +util-linux-lang-2.40.2-5.azl3.aarch64.rpm +util-linux-libs-2.40.2-5.azl3.aarch64.rpm which-2.21-8.azl3.aarch64.rpm which-debuginfo-2.21-8.azl3.aarch64.rpm xz-5.4.4-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index d618ebefd99..08ddb2fbcba 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -550,7 +550,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-3.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm -python3-libmount-2.40.2-4.azl3.x86_64.rpm +python3-libmount-2.40.2-5.azl3.x86_64.rpm python3-libs-3.12.9-13.azl3.x86_64.rpm python3-libxml2-2.11.5-10.azl3.x86_64.rpm python3-lxml-4.9.3-2.azl3.x86_64.rpm @@ -607,11 +607,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm unzip-6.0-22.azl3.x86_64.rpm unzip-debuginfo-6.0-22.azl3.x86_64.rpm -util-linux-2.40.2-4.azl3.x86_64.rpm -util-linux-debuginfo-2.40.2-4.azl3.x86_64.rpm -util-linux-devel-2.40.2-4.azl3.x86_64.rpm -util-linux-lang-2.40.2-4.azl3.x86_64.rpm -util-linux-libs-2.40.2-4.azl3.x86_64.rpm +util-linux-2.40.2-5.azl3.x86_64.rpm +util-linux-debuginfo-2.40.2-5.azl3.x86_64.rpm +util-linux-devel-2.40.2-5.azl3.x86_64.rpm +util-linux-lang-2.40.2-5.azl3.x86_64.rpm +util-linux-libs-2.40.2-5.azl3.x86_64.rpm which-2.21-8.azl3.x86_64.rpm which-debuginfo-2.21-8.azl3.x86_64.rpm xz-5.4.4-3.azl3.x86_64.rpm