Bug 2419369 (CVE-2025-14104)

Summary: CVE-2025-14104 util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, crizzo, gtanzill, jbuscemi, jmitchel, kshier, kzak, slayericefire, stcannon, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2419370, 2419371    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-05 14:21:04 UTC 
A flaw was found in util-linux. Heap buffer overread when processing 256-byte usernames.
Affects any SUID login-utils utility writing to password database. The setpwnam() function allocates a 256-byte buffer but accesses linebuf[256] when username length equals 256, causing a heap buffer overread.
Comment 2 Karel Zak 2026-01-14 13:10:32 UTC 
Fixed in upstream release v2.41.3, upgrade already available in f44 and f43. 

The bugfix was also backported into f42 (util-linux-2.40.4-8.fc42).

The bug is in very old code (from 1997), so all older versions are affected.
Comment 3 John 2026-01-14 16:16:29 UTC 
Status request: What is the timeline for backporting CVE-2025-14104 to CentOS Stream 9?

Timeline data:
- CVE disclosed: Dec 2024 (13 months ago)
- Upstream fix: Available Dec 2024
- Fedora 43: Patched Dec 2024
- SUSE: Patched Jan 2026
- CentOS Stream 9: util-linux-2.37.4-21 (last update ~Feb 2025)

This affects SUID utilities in multi-user environments. A 13-month delay for a 
moderate CVE with available upstream fixes seems unusual for a security-focused 
distribution.

Is there a backport timeline or reason for the delay?