realloc buffer when header size changed

fix size use for stdin
segmentation fault on invalid unicode input passed to -s option
cherry-pick from: 10e9faf901605af5713bc89a5a36631f2025a956

fix-size-use-for-stdin.patch

@@ -0,0 +1,61 @@
+From 58e4ee082bca100034791a4a74481f263bb30a25 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 21 Oct 2021 18:47:40 +0200
+Subject: [PATCH] logger: fix --size use for stdin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stdin version counts log header into the message size, but
+for example when it reads message from argv[] it counts only message
+itself.
+
+ $ logger --stderr  --size 3 "abcd"
+ <13>Oct 21 18:48:29 kzak: abc
+
+ $ echo "abcd" | logger --stderr  --size 3
+ logger: cannot allocate 18446744073709551597 bytes: Cannot allocate memory
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2011602
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ misc-utils/logger.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/misc-utils/logger.c b/misc-utils/logger.c
+index 25ff2b9308..50ae211056 100644
+--- a/misc-utils/logger.c
++++ b/misc-utils/logger.c
+@@ -976,9 +976,7 @@ static void logger_stdin(struct logger_ctl *ctl)
+ 	 */
+ 	int default_priority = ctl->pri;
+ 	int last_pri = default_priority;
+-	size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
+-	size_t allocated_usrmsg_size = max_usrmsg_size;
+-	char *buf = xmalloc(allocated_usrmsg_size + 2 + 2);
++	char *buf = xmalloc(ctl->max_message_size + 2 + 2);
+ 	int pri;
+ 	int c;
+ 	size_t i;
+@@ -1006,20 +1004,13 @@ static void logger_stdin(struct logger_ctl *ctl)
+ 
+ 			if (ctl->pri != last_pri) {
+ 				generate_syslog_header(ctl);
+-				max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
+-
+-				if (max_usrmsg_size > allocated_usrmsg_size) {
+-					allocated_usrmsg_size = max_usrmsg_size;
+-					buf = xrealloc(buf, allocated_usrmsg_size + 2 + 2);
+-				}
+-
+ 				last_pri = ctl->pri;
+ 			}
+ 			if (c != EOF && c != '\n')
+ 				c = getchar();
+ 		}
+ 
+-		while (c != EOF && c != '\n' && i < max_usrmsg_size) {
++		while (c != EOF && c != '\n' && i < ctl->max_message_size) {
+ 			buf[i++] = c;
+ 			c = getchar();
+ 		}

realloc-buffer-when-header-size-changed.patch

@@ -0,0 +1,64 @@
+From b0a8b8cd9c34600dda7d0503aac2dc0af3012fdc Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 21 Oct 2021 16:00:01 +0200
+Subject: [PATCH] logger: realloc buffer when header size changed
+
+This is probably paranoid optimization, but when we generate a new
+header we need to be sure that buffer is not smaller than calculated
+maximal size of user's data.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ misc-utils/logger.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/misc-utils/logger.c b/misc-utils/logger.c
+index 23da164cd6..4511ab1141 100644
+--- a/misc-utils/logger.c
++++ b/misc-utils/logger.c
+@@ -979,11 +979,11 @@ static void logger_stdin(struct logger_ctl *ctl)
+ 	 * update header timestamps and to reflect possible priority changes.
+ 	 * The initial header is generated by logger_open().
+ 	 */
+-	int has_header = 1;
+ 	int default_priority = ctl->pri;
+ 	int last_pri = default_priority;
+ 	size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
+-	char *const buf = xmalloc(max_usrmsg_size + 2 + 2);
++	size_t allocated_usrmsg_size = max_usrmsg_size;
++	char *buf = xmalloc(allocated_usrmsg_size + 2 + 2);
+ 	int pri;
+ 	int c;
+ 	size_t i;
+@@ -1010,9 +1010,14 @@ static void logger_stdin(struct logger_ctl *ctl)
+ 				ctl->pri = default_priority;
+ 
+ 			if (ctl->pri != last_pri) {
+-				has_header = 0;
+-				max_usrmsg_size =
+-				    ctl->max_message_size - strlen(ctl->hdr);
++				generate_syslog_header(ctl);
++				max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr);
++
++				if (max_usrmsg_size > allocated_usrmsg_size) {
++					allocated_usrmsg_size = max_usrmsg_size;
++					buf = xrealloc(buf, allocated_usrmsg_size + 2 + 2);
++				}
++
+ 				last_pri = ctl->pri;
+ 			}
+ 			if (c != EOF && c != '\n')
+@@ -1025,12 +1030,8 @@ static void logger_stdin(struct logger_ctl *ctl)
+ 		}
+ 		buf[i] = '\0';
+ 
+-		if (i > 0 || !ctl->skip_empty_lines) {
+-			if (!has_header)
+-				generate_syslog_header(ctl);
++		if (i > 0 || !ctl->skip_empty_lines)
+ 			write_output(ctl, buf);
+-			has_header = 0;
+-		}
+ 
+ 		if (c == '\n')	/* discard line terminator */
+ 			c = getchar();

segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch

@@ -0,0 +1,27 @@
+From 9714331843ef3a6d9c10ff1d3bc5fcf53d44d930 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 31 Aug 2021 12:31:15 +0200
+Subject: [PATCH] column: segmentation fault on invalid unicode input passed to
+ -s option
+
+The function mbs_to_wcs() returns NULL on invalid UTF.
+
+Fixes: https://github.com/karelzak/util-linux/issues/1425
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ text-utils/column.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/text-utils/column.c b/text-utils/column.c
+index 1bc90e84e3..f9878e4422 100644
+--- a/text-utils/column.c
++++ b/text-utils/column.c
+@@ -814,6 +814,8 @@ int main(int argc, char **argv)
+ 		case 's':
+ 			free(ctl.input_separator);
+ 			ctl.input_separator = mbs_to_wcs(optarg);
++			if (!ctl.input_separator)
++				err(EXIT_FAILURE, _("failed to use input separator"));
+ 			ctl.greedy = 0;
+ 			break;
+ 		case 'T':

util-linux.spec

@@ -21,16 +21,19 @@ Source9:        util-linux-runuser-l.pamd
 Patch6000:      2.36-login-lastlog-create.patch
 Patch6001:      backport-CVE-2021-3995.patch
 Patch6002:      backport-CVE-2021-3996.patch
-Patch6003:      backport-su-bash-completion-offer-usernames-rather-than-files.patch
+Patch6003:      realloc-buffer-when-header-size-changed.patch
-Patch6004:      backport-Fix-memory-leaks-in-the-chcpu.patch
+Patch6004:      fix-size-use-for-stdin.patch
-Patch6005:      backport-logger-fix-prio-prefix-doesn-t-use-priority-default.patch
+Patch6005:      segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch
-Patch6006:      backport-vipw-flush-stdout-before-getting-answer.patch
+Patch6006:      backport-su-bash-completion-offer-usernames-rather-than-files.patch 
-Patch6007:      backport-login-Restore-tty-size-after-calling-vhangup.patch
+Patch6007:      backport-Fix-memory-leaks-in-the-chcpu.patch 
-Patch6008:      backport-Forward-value-of-sector_size-instead-of-its-address.patch
+Patch6008:      backport-logger-fix-prio-prefix-doesn-t-use-priority-default.patch 
-Patch6009:      backport-libfdisk-dereference-of-possibly-NULL-gcc-analyzer.patch
+Patch6009:      backport-vipw-flush-stdout-before-getting-answer.patch 
-Patch6010:      backport-libfdisk-check-calloc-return-gcc-analyzer.patch
+Patch6010:      backport-login-Restore-tty-size-after-calling-vhangup.patch 
-Patch6011:      backport-mcookie-fix-infinite-loop-when-use-f.patch
+Patch6011:      backport-Forward-value-of-sector_size-instead-of-its-address.patch 
-Patch6012:      backport-sfdisk-write-empty-label-also-when-only-ignored-part.patch
+Patch6012:      backport-libfdisk-dereference-of-possibly-NULL-gcc-analyzer.patch 
+Patch6013:      backport-libfdisk-check-calloc-return-gcc-analyzer.patch
+Patch6014:      backport-mcookie-fix-infinite-loop-when-use-f.patch
+Patch6015:      backport-sfdisk-write-empty-label-also-when-only-ignored-part.patch
 
 Patch9000:      Add-check-to-resolve-uname26-version-test-failed.patch
 Patch9001:      SKIPPED-no-root-permissions-test.patch
@@ -410,7 +413,15 @@ fi
 - SUG:NA
 - DESC:Sync community patches
 
-* Tue Feb 15 2022 shangyibin<shangyibin1@h-partners.com> - 2.37.2-3
+* Fri Feb 18 2022 shangyibin<shangyibin1@h-partners.com> - 2.37.2-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:realloc buffer when header size changed
+       fix size use for stdin
+       segmentation fault on invalid unicode input passed to -s option
+
+* Mon Feb 14 2021 shangyibin<shangyibin1@h-partners.com> - 2.37.2-3
 - Type:CVE
 - ID:CVE-2021-3995 CVE-2021-3996
 - SUG:NA