2024-04-04 09:40:01

by Karel Zak

[permalink] [raw]
Subject: [ANNOUNCE] util-linux maintenance release v2.39.4


The util-linux stable maintenance release v2.39.4 is available at

http://www.kernel.org/pub/linux/utils/util-linux/v2.39/

Feedback and bug reports, as always, are welcomed.

(Please note that the current stable release is v2.40.)

Karel


util-linux v2.39.4 Release Notes
================================

Security issues
---------------

This release fixes CVE-2024-28085. The wall command does not filter escape
sequences from command line arguments. The vulnerable code was introduced in
commit cdd3cc7fa4 (2013). Every version since has been vulnerable.

This allows unprivileged users to put arbitrary text on other users terminals,
if mesg is set to y and *wall is setgid*. Not all distros are affected (e.g.
CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is
set to y by default).


Changes between v2.39.3 and v2.39.4
-----------------------------------

build:
- only build test_enosys if an audit arch exists [Thomas Wei?schuh]
dmesg:
- (tests) validate json output [Thomas Wei?schuh]
- -r LOG_MAKEPRI needs fac << 3 [Edward Chron]
- correctly print all supported facility names [Thomas Wei?schuh]
- only write one message to json [Thomas Wei?schuh]
- open-code LOG_MAKEPRI [Thomas Wei?schuh]
docs:
- update AUTHORS file [Karel Zak]
fadvise:
- (test) don't compare fincore page counts [Thomas Wei?schuh]
- (test) dynamically calculate expected test values [Thomas Wei?schuh]
- (test) test with 64k blocks [Thomas Wei?schuh]
- (tests) factor out calls to "fincore" [Thomas Wei?schuh]
github:
- add labeler [Karel Zak]
jsonwrt:
- add ul_jsonwrt_value_s_sized [Thomas Wei?schuh]
libblkid:
- Check offset in LUKS2 header [Milan Broz]
- topology/ioctl correctly handle kernel types [Thomas Wei?schuh]
libmount:
- don't initialize variable twice (#2714) [Thorsten Kukuk]
- make sure "option=" is used as string [Karel Zak]
libsmartcols:
- (tests) add test for continuous json output [Thomas Wei?schuh]
- drop spourious newline in between streamed JSON objects [Thomas Wei?schuh]
- flush correct stream [Thomas Wei?schuh]
- only recognize closed object as final element [Thomas Wei?schuh]
po:
- merge changes [Karel Zak]
po-man:
- merge changes [Karel Zak]
wall:
- fix calloc cal [-Werror=calloc-transposed-args] [Karel Zak]
- fix escape sequence Injection [CVE-2024-28085] [Karel Zak]

--
Karel Zak <[email protected]>
http://karelzak.blogspot.com