Changes between v2.41.4 and v2.41.5 -------------------------------------------- commit 230de59ffbee328506d92d3534e66d56de1afe5d Author: Karel Zak Date: Tue Jun 16 13:23:37 2026 +0200 build-sys: update release dates Signed-off-by: Karel Zak NEWS | 2 +- configure.ac | 2 +- meson.build | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 63a366b31d4801fac82145871cdb7442de92e3f3 Author: Karel Zak Date: Tue Jun 16 13:23:27 2026 +0200 docs: update v2.41.5-ReleaseNotes Documentation/releases/v2.41.5-ReleaseNotes | 89 +++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) commit a9508d216eb8977979102782672e0470cc9bf2a2 Author: Karel Zak Date: Wed May 27 12:38:16 2026 +0200 libmount: add mount ID verification and man page TOCTOU note Verify mount ID after re-opening the target fd to ensure the mount landed on the expected target. The expected ID is set from fd_tree in hook_create_mount() (new mount API only). Add WARNING to mount.8 about the inherent TOCTOU limitation of the legacy mount(2) syscall for non-superuser mounts. Signed-off-by: Karel Zak (cherry picked from commit 39fef62bf3226abb6bb018fa8750afa0327e84b4) libmount/src/context.c | 29 ++++++++++++++++++++++++++++- sys-utils/mount.8.adoc | 2 ++ 2 files changed, 30 insertions(+), 1 deletion(-) commit 4ca5d5c502ad746e7ecf8d201ca4d7768e6faca3 Author: Karel Zak Date: Wed May 27 12:21:02 2026 +0200 libmount: use fd_target in hook_idmap for move_mount() Use the pinned fd_target with MOVE_MOUNT_T_EMPTY_PATH for restricted users instead of string-based move_mount(). Re-open the target fd after mount to point to the mounted filesystem root. Signed-off-by: Karel Zak (cherry picked from commit 8aa3af65b2b2a57bd40ecc47467d58d27cc9d3a7) libmount/src/hook_idmap.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) commit 8b6454b84e11937059d8fe7dc63c1d6e38ec7368 Author: Karel Zak Date: Wed May 27 12:20:06 2026 +0200 libmount: restrict X-mount.subdir for non-root The old-kernel subdirectory path uses namespace unsharing and string-based move_mount(), which is unsafe for restricted users (TOCTOU). The safe detached subdirectory open requires Linux >= 6.15 and libmount support, which is not available in v2.41. Signed-off-by: Karel Zak libmount/src/hook_subdir.c | 6 ++++++ sys-utils/mount.8.adoc | 2 ++ 2 files changed, 8 insertions(+) commit 897a08c2b11dfa66975c3d24d63c7bf5f5be1a7c Author: Karel Zak Date: Tue Jun 16 11:15:19 2026 +0200 libmount: use fd-based fchownat/chmod in hook_owner Replace path-based lchown()/chmod() with fd-based operations in the X-mount.{owner,group,mode} post-mount hook. For restricted users the fd_target is pinned in prepare_target() and re-opened after mount in hook_attach_target() to point to the mounted filesystem root. For root a local O_PATH fd is opened. Ownership is changed via fchownat(fd, "", ..., AT_EMPTY_PATH), mode via /proc/self/fd/N. This prevents TOCTOU attacks where an ancestor directory is swapped between mount and the chmod/chown operations. CVE-2026-53612 Reported-by: Xinyao Hu Signed-off-by: Karel Zak (cherry picked from commit 24da33905c7115c4cbccd0afb2a469804e96467a) libmount/src/hook_owner.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) commit 99bad5729aeb93adfcd2573d60b3eb7e09da3c75 Author: Karel Zak Date: Wed May 27 11:12:17 2026 +0200 libmount: ignore X-mount.nocanonicalize for restricted users Paths must always be canonicalized in restricted (non-root) mode to ensure safe target resolution before fd pinning. Signed-off-by: Karel Zak (cherry picked from commit d07aad41e323fd36a1504809d1f9b89c0504f76c) libmount/src/context.c | 3 +++ sys-utils/mount.8.adoc | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) commit 0b010025a0e429bc80355c94db86a843395d49e2 Author: Karel Zak Date: Tue Jun 16 11:13:54 2026 +0200 libmount: add fd_target to context for TOCTOU prevention Add a pinned O_PATH target fd to libmnt_context with lazy-open getter mnt_context_get_target_fd() and mnt_context_close_target_fd(). The fd is opened via ul_open_no_symlinks() (RESOLVE_NO_SYMLINKS) to reject symlinks at any path component. The fd is closed on context reset. CVE-2026-53613 Signed-off-by: Karel Zak (cherry picked from commit 78a860982e036f38fe9c0b3344998df5ac2c2ff5) libmount/src/context.c | 43 ++++++++++++++++++++++++++++++++++++++++ libmount/src/context_mount.c | 7 +++++++ libmount/src/hook_mount.c | 18 ++++++++++++++++- libmount/src/hook_mount_legacy.c | 3 +++ libmount/src/mountP.h | 7 +++++++ 5 files changed, 77 insertions(+), 1 deletion(-) commit b639bf5c4277b7f828b3fcbdbf94bad5a4d20060 Author: Karel Zak Date: Wed May 27 10:35:39 2026 +0200 lib/fileutils: add ul_open_no_symlinks() Add a helper that opens a path rejecting symlinks at any component, not just the last one. Uses openat2(RESOLVE_NO_SYMLINKS) when available (Linux >= 5.6), falls back to open(O_NOFOLLOW). Signed-off-by: Karel Zak (cherry picked from commit e01e38b24346a21f1d01498c265486a12c009e61) configure.ac | 1 + include/fileutils.h | 2 ++ lib/fileutils.c | 24 ++++++++++++++++++++++++ meson.build | 1 + 4 files changed, 28 insertions(+) commit cc81bbcec598cb91f0eb8456282f33eed820ed5f Author: Karel Zak Date: Tue Jun 16 10:58:32 2026 +0200 libmount: fix SUID bypass via LIBMOUNT_FORCE_MOUNT2 and legacy mount path Use safe_getenv() for LIBMOUNT_FORCE_MOUNT2 to ignore the variable in SUID context, consistent with LIBMOUNT_FSTAB and other sensitive environment variables. Additionally, refuse multi-step mount(2) sequences (bind+remount and propagation) for restricted (non-root) users in the legacy mount path. The two-step approach has a window between syscalls where security flags (nosuid, noexec, ...) are not yet applied. The new mount API handles this atomically. CVE-2026-53614 Reported-by: Xinyao Hu Signed-off-by: Karel Zak (cherry picked from commit 9cbfb823500f510b34767edabd3ffd5b436987b4) libmount/src/hook_mount.c | 3 ++- libmount/src/hook_mount_legacy.c | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) commit 132d9c8aa15a8efd0a23d8ca7ed8b98f365e84fa Author: Karel Zak Date: Thu May 7 12:50:48 2026 +0200 libblkid: fix use-after-free in nested partition probing The partitions list stores partitions in a contiguous array grown by reallocarray(). When the array is reallocated to a new address, all existing blkid_partition pointers (tab->parent, ls->next_parent, local parent variables in nested probers) become dangling. Fix this by changing the storage from an array of structs to an array of pointers, where each partition is individually allocated via calloc(). This makes all blkid_partition pointers stable across reallocations -- only the pointer array itself may move, which is harmless since no code caches pointers into the pointer array. This eliminates the need for callers to re-fetch parent pointers after every blkid_partlist_add_partition() call. Reported-by: Thai Duong Signed-off-by: Karel Zak (cherry picked from commit c0186f14fbdb02f64c8e0ba701ce727ea764ff4c) libblkid/src/partitions/partitions.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) commit b8625310b8f4a0760a00da013930365fa70d211a Author: aizu-m Date: Tue Jun 9 12:32:50 2026 +0530 libmount: fix subvolid buffer overflow in get_btrfs_fs_root (cherry picked from commit 091e08c07c5444fd9179d43fb6c1db377a6ca7e4) libmount/src/tab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit cc6cc7b0ce06d3048863d74126d97530356cd52a Author: Tobias Stoeckmann Date: Wed Feb 18 18:26:52 2026 +0100 pg: Fix compiler warning Seen compiler warning with GCC 15.2.1 and glibc 2.43: ``` text-utils/pg.c: In function ‘prompt’: text-utils/pg.c:621:24: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 621 | if ((p = strstr(pstring, "%d")) == NULL) { | ^ ``` This happens if strstr is actually a preprocessor definition with a __glibc_const_generic. For this, __GLIBC_USE (ISOC23) must be true. Setting the pointer to const does not hurt and clarifies that the content is not modfied. Signed-off-by: Tobias Stoeckmann (cherry picked from commit f8b9465cb874ce20a9cda7f608b485d5e3db2b90) text-utils/pg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3711d0ad846ee84fb69ca40db1f8873ef55ccbf6 Author: Karel Zak Date: Thu May 7 14:34:27 2026 +0200 CI: replace ntp with ntpsec The ntp package has been removed from Ubuntu repositories. Use ntpsec as a replacement to provide the sntp command needed by tests/ts/hwclock/systohc. Signed-off-by: Karel Zak (cherry picked from commit e19769bb1e70a1ea713582a69bcf7c9befa53bf0) .github/workflows/cibuild-setup-ubuntu.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e4b0ec69d4a017436278a204b27224a8e07fd9e Author: WanBingjiang Date: Mon Mar 30 16:28:24 2026 +0800 liblastlog2: wait on busy SQLite connections Avoiding 'SQL error: database is locked' when lastlog2 writes lastlog2 databese. Addresses: https://github.com/util-linux/util-linux/issues/4157 Signed-off-by: WanBingjiang (cherry picked from commit fff8c59c75355d365a69f86719e7bd7818c1daf4) liblastlog2/src/lastlog2.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) commit c8d0af0421f6491ab1cb2301d2e197315289d34c Author: Karel Zak Date: Tue May 19 10:54:57 2026 +0200 pam_lastlog2: fix libpam linking in autotools build Move -lpam from LDFLAGS to LIBADD. When -lpam is in LDFLAGS it appears on the linker command line before object files, so the --as-needed linker flag (default on Fedora) discards it before seeing any undefined PAM symbols. This results in pam_lastlog2.so missing libpam.so in its ELF NEEDED entries. The module then fails to load with dlopen() if the calling process does not itself link against libpam (e.g., systemd in Fedora 44+): PAM unable to dlopen(pam_lastlog2.so): undefined symbol: pam_syslog Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2453457 Signed-off-by: Karel Zak (cherry picked from commit 5683ed6320e00205146cbb3d0c76462733530eca) pam_lastlog2/src/Makemodule.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)