summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/debian/backport-ul_strtou64-function.patch38
-rw-r--r--debian/patches/debian/man-getopt-examples.patch24
-rw-r--r--debian/patches/debian/verbose-tests.patch45
-rw-r--r--debian/patches/series12
-rw-r--r--debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch36
-rw-r--r--debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch23
-rw-r--r--debian/patches/upstream/Manual-pages-document-the-resize-command.patch31
-rw-r--r--debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch102
-rw-r--r--debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch37
-rw-r--r--debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch136
-rw-r--r--debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch189
-rw-r--r--debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch47
-rw-r--r--debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch25
13 files changed, 745 insertions, 0 deletions
diff --git a/debian/patches/debian/backport-ul_strtou64-function.patch b/debian/patches/debian/backport-ul_strtou64-function.patch
new file mode 100644
index 0000000..94fca90
--- /dev/null
+++ b/debian/patches/debian/backport-ul_strtou64-function.patch
@@ -0,0 +1,38 @@
+Description: include/strutils: Add ul_strtou64() function
+Origin: backport, https://github.com/util-linux/util-linux/commit/84825b161ba5d18da4142893b9789b3fc71284d9
+Author: Salvatore Bonaccorso <carnil@debian.org>
+
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -16,6 +16,8 @@ extern int parse_size(const char *str, u
+ extern int strtosize(const char *str, uintmax_t *res);
+ extern uintmax_t strtosize_or_err(const char *str, const char *errmesg);
+
++extern int ul_strtou64(const char *str, uint64_t *num, int base);
++
+ extern int16_t strtos16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtou16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtox16_or_err(const char *str, const char *errmesg);
+--- a/lib/strutils.c
++++ b/lib/strutils.c
+@@ -319,6 +319,20 @@ char *strndup(const char *s, size_t n)
+ }
+ #endif
+
++int ul_strtou64(const char *str, uint64_t *num, int base)
++{
++ char *end = NULL;
++
++ errno = 0;
++ if (str == NULL || *str == '\0')
++ return -EINVAL;
++ *num = (uint64_t) strtoumax(str, &end, base);
++
++ if (errno || str == end || (end && *end))
++ return -EINVAL;
++ return 0;
++}
++
+ static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base);
+ static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base);
+
diff --git a/debian/patches/debian/man-getopt-examples.patch b/debian/patches/debian/man-getopt-examples.patch
new file mode 100644
index 0000000..171a996
--- /dev/null
+++ b/debian/patches/debian/man-getopt-examples.patch
@@ -0,0 +1,24 @@
+From: Matthew Vernon <matthew@debian.org>
+Date: Tue, 6 Nov 2018 11:49:21 +0000
+Subject: util-linux: getopt(1) should point to where examples are on a Debian
+ system
+
+Debian BTS #913049
+---
+ misc-utils/getopt.1 | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/misc-utils/getopt.1 b/misc-utils/getopt.1
+index 356e16a..e76cefa 100644
+--- a/misc-utils/getopt.1
++++ b/misc-utils/getopt.1
+@@ -418,8 +418,7 @@ if it is called with
+ Example scripts for (ba)sh and (t)csh are provided with the
+ .BR getopt (1)
+ distribution, and are installed in
+-.I /usr/share/doc/util-linux/getopt/
+-directory.
++.I /usr/share/doc/util-linux/examples/ .
+ .SH ENVIRONMENT
+ .IP POSIXLY_CORRECT
+ This environment variable is examined by the
diff --git a/debian/patches/debian/verbose-tests.patch b/debian/patches/debian/verbose-tests.patch
new file mode 100644
index 0000000..416d660
--- /dev/null
+++ b/debian/patches/debian/verbose-tests.patch
@@ -0,0 +1,45 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Wed, 30 Jul 2014 14:28:17 +0200
+Subject: verbose-tests
+
+Enable verbose tests and print content of failing tests output file.
+---
+ tests/Makemodule.am | 2 +-
+ tests/functions.sh | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tests/Makemodule.am b/tests/Makemodule.am
+index 31cf70f..4001672 100644
+--- a/tests/Makemodule.am
++++ b/tests/Makemodule.am
+@@ -13,7 +13,7 @@ clean-local-tests:
+
+ CLEAN_LOCALS += clean-local-tests
+
+-TESTS_OPTIONS = --nonroot
++TESTS_OPTIONS = --nonroot --verbose --parallel=1
+ TESTS_PARALLEL = --parallel
+ TESTS_COMMAND = $(top_srcdir)/tests/run.sh \
+ --srcdir=$(abs_top_srcdir) \
+diff --git a/tests/functions.sh b/tests/functions.sh
+index da6eac4..9ef8443 100644
+--- a/tests/functions.sh
++++ b/tests/functions.sh
+@@ -148,6 +148,17 @@ function ts_failed_subtest {
+ ts_report " $msg ($1)"
+ fi
+
++ if [ "$TS_VERBOSE" = "yes" ]; then
++ echo ========= script: $TS_SCRIPT =================
++ echo ================= OUTPUT =====================
++ cat -n $TS_OUTPUT
++ echo ================= EXPECTED ===================
++ cat -n $TS_EXPECTED
++ echo ================= O/E diff ===================
++ diff -u $TS_OUTPUT $TS_EXPECTED
++ echo ==============================================
++ fi
++
+ return $ret
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..467522b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,12 @@
+upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch
+upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch
+upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch
+upstream/Manual-pages-document-the-resize-command.patch
+debian/man-getopt-examples.patch
+debian/verbose-tests.patch
+upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch
+upstream/libmount-allow-read-only-for-not-root-users.patch
+upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch
+debian/backport-ul_strtou64-function.patch
+upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch
+upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch
diff --git a/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch b/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch
new file mode 100644
index 0000000..19c9491
--- /dev/null
+++ b/debian/patches/upstream/0001-libmount-don-t-use-symfollow-for-helpers-on-user-mou.patch
@@ -0,0 +1,36 @@
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 19 Nov 2020 09:49:16 +0100
+Subject: [PATCH] libmount: don't use "symfollow" for helpers on user mounts
+
+Addresses: https://github.com/karelzak/util-linux/issues/1193
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/context_mount.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c
+index 8c394c1..dd17861 100644
+--- a/libmount/src/context_mount.c
++++ b/libmount/src/context_mount.c
+@@ -415,6 +415,9 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr)
+ * string, because there is nothing like MS_EXEC (we only have
+ * MS_NOEXEC in mount flags and we don't care about the original
+ * mount string in libmount for VFS options).
++ *
++ * This use-case makes sense for MS_SECURE flags only (see
++ * mnt_optstr_get_flags() and mnt_context_merge_mflags()).
+ */
+ if (!(cxt->mountflags & MS_NOEXEC))
+ mnt_optstr_append_option(optstr, "exec", NULL);
+@@ -422,11 +425,8 @@ static int generate_helper_optstr(struct libmnt_context *cxt, char **optstr)
+ mnt_optstr_append_option(optstr, "suid", NULL);
+ if (!(cxt->mountflags & MS_NODEV))
+ mnt_optstr_append_option(optstr, "dev", NULL);
+- if (!(cxt->mountflags & MS_NOSYMFOLLOW))
+- mnt_optstr_append_option(optstr, "symfollow", NULL);
+ }
+
+-
+ if (cxt->flags & MNT_FL_SAVED_USER)
+ rc = mnt_optstr_set_option(optstr, "user", cxt->orig_user);
+ if (rc)
diff --git a/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch b/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch
new file mode 100644
index 0000000..51ef5ce
--- /dev/null
+++ b/debian/patches/upstream/CVE-2021-37600-sys-utils-ipcutils-be-careful-when-call-calloc.patch
@@ -0,0 +1,23 @@
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: sys-utils/ipcutils: be careful when call calloc() for uint64 nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index 674b612..f2b04dd 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+ size_t i;
+
+- if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+ return;
+
+ p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
diff --git a/debian/patches/upstream/Manual-pages-document-the-resize-command.patch b/debian/patches/upstream/Manual-pages-document-the-resize-command.patch
new file mode 100644
index 0000000..9bb0390
--- /dev/null
+++ b/debian/patches/upstream/Manual-pages-document-the-resize-command.patch
@@ -0,0 +1,31 @@
+From: Vincent McIntyre <vincent.mcintyre@csiro.au>
+Date: Fri, 1 Jan 2021 13:37:52 +1100
+Subject: Manual pages: document the 'resize' command
+
+Reported in https://bugs.debian.org/906918, https://bugs.debian.org/915971.
+
+Signed-off-by: Vincent McIntyre <vincent.mcintyre@csiro.au>
+---
+ disk-utils/cfdisk.8 | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/disk-utils/cfdisk.8 b/disk-utils/cfdisk.8
+index a61aad7..4e3dfca 100644
+--- a/disk-utils/cfdisk.8
++++ b/disk-utils/cfdisk.8
+@@ -115,6 +115,15 @@ MiB (=1024*1024), and so on for GiB, TiB, PiB, EiB, ZiB and YiB
+ Quit the program. This will exit the program without writing any data to
+ the disk.
+ .TP
++.B r
++Reduce or enlarge the current partition.
++.B cfdisk
++then prompts you for the new size of the partition.
++The default size is the current size.
++A partition marked as free space or marked as unusable cannot be resized.
++
++Note that reducing the size of a partition might destroy data on that partition.
++.TP
+ .B s
+ Sort the partitions in ascending start-sector order. When deleting and
+ adding partitions, it is likely that the numbering of the partitions will
diff --git a/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch b/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch
new file mode 100644
index 0000000..9929f7e
--- /dev/null
+++ b/debian/patches/upstream/libmount-allow-read-only-for-not-root-users.patch
@@ -0,0 +1,102 @@
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 25 Jan 2021 11:11:05 +0100
+Subject: libmount: allow --read-only for not-root users
+
+The command "mount -r" was supported for non-root users in very old
+mount(8) versions. Unfortunately, in this case libmount replaces all
+mount options from command line by options from fstab. We need
+exception for MS_RDONLY.
+
+Fixes: https://github.com/karelzak/util-linux/issues/1235
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/context.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/libmount/src/context.c b/libmount/src/context.c
+index 46e2010..e4e9f8f 100644
+--- a/libmount/src/context.c
++++ b/libmount/src/context.c
+@@ -2319,9 +2319,12 @@ end:
+ return rc;
+ }
+
+-/* apply @fs to @cxt -- use mnt_context_apply_fstab() if not sure
++/* apply @fs to @cxt;
++ *
++ * @mflags are mount flags as specified on command-line -- used only to save
++ * MS_RDONLY which is allowed for non-root users.
+ */
+-int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs)
++static int apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs, unsigned long mflags)
+ {
+ int rc;
+
+@@ -2333,6 +2336,7 @@ int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs)
+ DBG(CXT, ul_debugobj(cxt, "use default optsmode"));
+ cxt->optsmode = MNT_OMODE_AUTO;
+ }
++
+ }
+
+ DBG(CXT, ul_debugobj(cxt, "apply entry:"));
+@@ -2360,9 +2364,15 @@ int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs)
+
+ if (cxt->optsmode & MNT_OMODE_IGNORE)
+ ;
+- else if (cxt->optsmode & MNT_OMODE_REPLACE)
++ else if (cxt->optsmode & MNT_OMODE_REPLACE) {
+ rc = mnt_fs_set_options(cxt->fs, mnt_fs_get_options(fs));
+
++ /* mount --read-only for non-root users is allowed */
++ if (rc == 0 && (mflags & MS_RDONLY)
++ && mnt_context_is_restricted(cxt)
++ && cxt->optsmode == MNT_OMODE_USER)
++ rc = mnt_fs_append_options(cxt->fs, "ro");
++ }
+ else if (cxt->optsmode & MNT_OMODE_APPEND)
+ rc = mnt_fs_append_options(cxt->fs, mnt_fs_get_options(fs));
+
+@@ -2380,7 +2390,7 @@ done:
+ }
+
+ static int apply_table(struct libmnt_context *cxt, struct libmnt_table *tb,
+- int direction)
++ int direction, unsigned long mflags)
+ {
+ struct libmnt_fs *fs = NULL;
+ const char *src, *tgt;
+@@ -2418,7 +2428,14 @@ static int apply_table(struct libmnt_context *cxt, struct libmnt_table *tb,
+ if (!fs)
+ return -MNT_ERR_NOFSTAB; /* not found */
+
+- return mnt_context_apply_fs(cxt, fs);
++ return apply_fs(cxt, fs, mflags);
++}
++
++/* apply @fs to @cxt -- use mnt_context_apply_fstab() if not sure
++ */
++int mnt_context_apply_fs(struct libmnt_context *cxt, struct libmnt_fs *fs)
++{
++ return apply_fs(cxt, fs, 0);
+ }
+
+ /**
+@@ -2498,7 +2515,7 @@ int mnt_context_apply_fstab(struct libmnt_context *cxt)
+ DBG(CXT, ul_debugobj(cxt, "trying to apply fstab (src=%s, target=%s)", src, tgt));
+ rc = mnt_context_get_fstab(cxt, &tab);
+ if (!rc)
+- rc = apply_table(cxt, tab, MNT_ITER_FORWARD);
++ rc = apply_table(cxt, tab, MNT_ITER_FORWARD, mflags);
+ }
+
+ /* try mtab */
+@@ -2510,7 +2527,7 @@ int mnt_context_apply_fstab(struct libmnt_context *cxt)
+ else
+ rc = mnt_context_get_mtab(cxt, &tab);
+ if (!rc)
+- rc = apply_table(cxt, tab, MNT_ITER_BACKWARD);
++ rc = apply_table(cxt, tab, MNT_ITER_BACKWARD, mflags);
+ }
+
+ if (!mnt_context_switch_ns(cxt, ns_old))
diff --git a/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch b/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch
new file mode 100644
index 0000000..6dd2fe4
--- /dev/null
+++ b/debian/patches/upstream/libmount-do-not-canonicalize-ZFS-source-dataset.patch
@@ -0,0 +1,37 @@
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 14 Jan 2021 12:45:28 +0100
+Subject: libmount: do not canonicalize ZFS source dataset
+
+Fixes: https://github.com/karelzak/util-linux/issues/1231
+Addresses: https://github.com/systemd/systemd/issues/18188
+Addresses: https://github.com/openzfs/zfs/pull/11295
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/context.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libmount/src/context.c b/libmount/src/context.c
+index 6196c71..46e2010 100644
+--- a/libmount/src/context.c
++++ b/libmount/src/context.c
+@@ -1764,7 +1764,7 @@ int mnt_context_prepare_srcpath(struct libmnt_context *cxt)
+ {
+ const char *path = NULL;
+ struct libmnt_cache *cache;
+- const char *t, *v, *src;
++ const char *t, *v, *src, *type;
+ int rc = 0;
+ struct libmnt_ns *ns_old;
+
+@@ -1786,6 +1786,11 @@ int mnt_context_prepare_srcpath(struct libmnt_context *cxt)
+ if (!src || mnt_fs_is_netfs(cxt->fs))
+ return 0;
+
++ /* ZFS source is always "dataset", not a real path */
++ type = mnt_fs_get_fstype(cxt->fs);
++ if (type && strcmp(type, "zfs") == 0)
++ return 0;
++
+ DBG(CXT, ul_debugobj(cxt, "srcpath '%s'", src));
+
+ ns_old = mnt_context_switch_target_ns(cxt);
diff --git a/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch b/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch
new file mode 100644
index 0000000..a30d229
--- /dev/null
+++ b/debian/patches/upstream/libmount-fix-UID-check-for-FUSE-umount-CVE-2021-3995.patch
@@ -0,0 +1,136 @@
+From e9aa48581641cbbed91e4b9597061fa96e57d05b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 24 Nov 2021 13:53:25 +0100
+Subject: [PATCH 1/2] libmount: fix UID check for FUSE umount [CVE-2021-3995]
+
+Improper UID check allows an unprivileged user to unmount FUSE
+filesystems of users with similar UID.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ include/strutils.h | 2 +-
+ libmount/src/context_umount.c | 14 +++---------
+ libmount/src/mountP.h | 1 +
+ libmount/src/optstr.c | 42 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/include/strutils.h b/include/strutils.h
+index 6e95707ea..a84d29594 100644
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -106,8 +106,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma
+ if (n + 1 > nmax)
+ n = nmax - 1;
+
++ memset(dest, '\0', nmax);
+ memcpy(dest, src, n);
+- dest[nmax-1] = '\0';
+ return dest;
+ }
+
+diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
+index 173637a15..8773c65ff 100644
+--- a/libmount/src/context_umount.c
++++ b/libmount/src/context_umount.c
+@@ -453,10 +453,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ struct libmnt_ns *ns_old;
+ const char *type = mnt_fs_get_fstype(cxt->fs);
+ const char *optstr;
+- char *user_id = NULL;
+- size_t sz;
+- uid_t uid;
+- char uidstr[sizeof(stringify_value(ULONG_MAX))];
++ uid_t uid, entry_uid;
+
+ *errsv = 0;
+
+@@ -473,11 +470,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ optstr = mnt_fs_get_fs_options(cxt->fs);
+ if (!optstr)
+ return 0;
+-
+- if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
+- return 0;
+-
+- if (sz == 0 || user_id == NULL)
++ if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
+ return 0;
+
+ /* get current user */
+@@ -494,8 +487,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ return 0;
+ }
+
+- snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
+- return strncmp(user_id, uidstr, sz) == 0;
++ return uid == entry_uid;
+ }
+
+ /*
+diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
+index d43a83541..22442ec55 100644
+--- a/libmount/src/mountP.h
++++ b/libmount/src/mountP.h
+@@ -399,6 +399,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
+ const struct libmnt_optmap **mapent);
+
+ /* optstr.c */
++extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
+ extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
+ extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
+ extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
+diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
+index 921b9318e..16800f571 100644
+--- a/libmount/src/optstr.c
++++ b/libmount/src/optstr.c
+@@ -1076,6 +1076,48 @@ int mnt_optstr_fix_user(char **optstr)
+ return rc;
+ }
+
++/*
++ * Converts value from @optstr addressed by @name to uid.
++ *
++ * Returns: 0 on success, 1 if not found, <0 on error
++ */
++int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
++{
++ char *value = NULL;
++ size_t valsz = 0;
++ char buf[sizeof(stringify_value(UINT64_MAX))];
++ int rc;
++ uint64_t num;
++
++ assert(optstr);
++ assert(name);
++ assert(uid);
++
++ rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
++ if (rc != 0)
++ goto fail;
++
++ if (valsz > sizeof(buf) - 1) {
++ rc = -ERANGE;
++ goto fail;
++ }
++ mem2strcpy(buf, value, valsz, sizeof(buf));
++
++ rc = ul_strtou64(buf, &num, 10);
++ if (rc != 0)
++ goto fail;
++ if (num > ULONG_MAX || (uid_t) num != num) {
++ rc = -ERANGE;
++ goto fail;
++ }
++ *uid = (uid_t) num;
++
++ return 0;
++fail:
++ DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
++ return rc;
++}
++
+ /**
+ * mnt_match_options:
+ * @optstr: options string
+--
+2.31.1
diff --git a/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch b/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch
new file mode 100644
index 0000000..748dbeb
--- /dev/null
+++ b/debian/patches/upstream/libmount-fix-deleted-suffix-issue-CVE-2021-3996.patch
@@ -0,0 +1,189 @@
+From 823f270e138d1f752f1acf4827847eab97b07a87 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 4 Jan 2022 10:54:20 +0100
+Subject: [PATCH 2/2] libmount: fix (deleted) suffix issue [CVE-2021-3996]
+
+This issue is related to parsing the /proc/self/mountinfo file allows an
+unprivileged user to unmount other user's filesystems that are either
+world-writable themselves or mounted in a world-writable directory.
+
+The support for "(deleted)" is no more necessary as the Linux kernel does
+not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/tab_parse.c | 5 -----
+ tests/expected/findmnt/filter-options | 1 -
+ tests/expected/findmnt/filter-options-nameval-neg | 3 +--
+ tests/expected/findmnt/filter-types-neg | 1 -
+ tests/expected/findmnt/outputs-default | 3 +--
+ tests/expected/findmnt/outputs-force-tree | 3 +--
+ tests/expected/findmnt/outputs-kernel | 3 +--
+ tests/expected/libmount/tabdiff-mount | 1 -
+ tests/expected/libmount/tabdiff-move | 1 -
+ tests/expected/libmount/tabdiff-remount | 1 -
+ tests/expected/libmount/tabdiff-umount | 1 -
+ tests/expected/libmount/tabfiles-parse-mountinfo | 11 -----------
+ tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 -----------
+ tests/ts/findmnt/files/mountinfo | 1 -
+ tests/ts/findmnt/files/mountinfo-nonroot | 1 -
+ tests/ts/libmount/files/mountinfo | 1 -
+ 16 files changed, 4 insertions(+), 44 deletions(-)
+
+--- a/libmount/src/tab_parse.c
++++ b/libmount/src/tab_parse.c
+@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(stru
+ goto fail;
+ }
+
+- /* remove "\040(deleted)" suffix */
+- p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
+- if (p && *p)
+- *p = '\0';
+-
+ s = skip_separator(s);
+
+ /* (6) vfs options (fs-independent) */
+--- a/tests/expected/findmnt/filter-options
++++ b/tests/expected/findmnt/filter-options
+@@ -28,5 +28,4 @@ TARGET SOURCE
+ /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+ /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo /fooooo bar rw,relatime
+ rc=0
+--- a/tests/expected/findmnt/filter-options-nameval-neg
++++ b/tests/expected/findmnt/filter-options-nameval-neg
+@@ -29,6 +29,5 @@ TARGET SOURCE
+ |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo /fooooo bar rw,relatime
++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+--- a/tests/expected/findmnt/filter-types-neg
++++ b/tests/expected/findmnt/filter-types-neg
+@@ -28,5 +28,4 @@ TARGET SOURCE
+ /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+ /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo /fooooo bar rw,relatime
+ rc=0
+--- a/tests/expected/findmnt/outputs-default
++++ b/tests/expected/findmnt/outputs-default
+@@ -30,6 +30,5 @@ TARGET SOURCE
+ |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo /fooooo bar rw,relatime
++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+--- a/tests/expected/findmnt/outputs-force-tree
++++ b/tests/expected/findmnt/outputs-force-tree
+@@ -30,6 +30,5 @@ TARGET SOURCE
+ |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo /fooooo bar rw,relatime
++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+--- a/tests/expected/findmnt/outputs-kernel
++++ b/tests/expected/findmnt/outputs-kernel
+@@ -30,6 +30,5 @@ TARGET SOURCE
+ |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
+-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo /fooooo bar rw,relatime
++`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+--- a/tests/expected/libmount/tabdiff-mount
++++ b/tests/expected/libmount/tabdiff-mount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: MOUNTED
+-/fooooo on /mnt/foo: MOUNTED
+ tmpfs on /mnt/test/foo bar: MOUNTED
+--- a/tests/expected/libmount/tabdiff-move
++++ b/tests/expected/libmount/tabdiff-move
+@@ -1,3 +1,2 @@
+ //foo.home/bar/ on /mnt/music: MOVED to /mnt/music
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo bar: UMOUNTED
+--- a/tests/expected/libmount/tabdiff-remount
++++ b/tests/expected/libmount/tabdiff-remount
+@@ -1,4 +1,3 @@
+ /dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered'
+ //foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344'
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo bar: UMOUNTED
+--- a/tests/expected/libmount/tabdiff-umount
++++ b/tests/expected/libmount/tabdiff-umount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: UMOUNTED
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo bar: UMOUNTED
+--- a/tests/expected/libmount/tabfiles-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-parse-mountinfo
+@@ -351,17 +351,6 @@ id: 47
+ parent: 20
+ devno: 0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root: /
+-id: 48
+-parent: 20
+-devno: 0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo bar
+ fstype: tmpfs
+--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo
+@@ -351,17 +351,6 @@ id: 47
+ parent: 20
+ devno: 0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root: /
+-id: 48
+-parent: 20
+-devno: 0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo bar
+ fstype: tmpfs
+--- a/tests/ts/findmnt/files/mountinfo
++++ b/tests/ts/findmnt/files/mountinfo
+@@ -30,4 +30,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+--- a/tests/ts/findmnt/files/mountinfo-nonroot
++++ b/tests/ts/findmnt/files/mountinfo-nonroot
+@@ -29,4 +29,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+--- a/tests/ts/libmount/files/mountinfo
++++ b/tests/ts/libmount/files/mountinfo
+@@ -30,5 +30,4 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+ 49 20 0:56 / /mnt/test/foo bar rw,relatime shared:323 - tmpfs tmpfs rw
diff --git a/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch b/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch
new file mode 100644
index 0000000..f9cd86b
--- /dev/null
+++ b/debian/patches/upstream/upstream_build-sys-do-not-build-plymouth-ctrl.c-w-disabled-pl.patch
@@ -0,0 +1,47 @@
+From: Pino Toscano <toscano.pino@tiscali.it>
+Date: Tue, 17 Nov 2020 11:27:48 +0100
+Subject: [PATCH] build-sys: do not build plymouth-ctrl.c w/ disabled plymouth
+
+Do not build plymouth-ctrl.c in agetty and sulogin in case the plymouth
+support is disabled.
+
+Signed-off-by: Pino Toscano <toscano.pino@tiscali.it>
+---
+ login-utils/Makemodule.am | 6 ++++--
+ term-utils/Makemodule.am | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
+index 3a1c272..37be1c4 100644
+--- a/login-utils/Makemodule.am
++++ b/login-utils/Makemodule.am
+@@ -19,8 +19,10 @@ dist_man_MANS += login-utils/sulogin.8
+ sulogin_SOURCES = \
+ login-utils/sulogin.c \
+ login-utils/sulogin-consoles.c \
+- login-utils/sulogin-consoles.h \
+- lib/plymouth-ctrl.c
++ login-utils/sulogin-consoles.h
++if USE_PLYMOUTH_SUPPORT
++sulogin_SOURCES += lib/plymouth-ctrl.c
++endif
+ sulogin_LDADD = $(LDADD) libcommon.la
+
+ if HAVE_LIBCRYPT
+diff --git a/term-utils/Makemodule.am b/term-utils/Makemodule.am
+index 92df7db..c424dbd 100644
+--- a/term-utils/Makemodule.am
++++ b/term-utils/Makemodule.am
+@@ -42,8 +42,10 @@ endif # BUILD_SCRIPTLIVE
+ if BUILD_AGETTY
+ sbin_PROGRAMS += agetty
+ dist_man_MANS += term-utils/agetty.8
+-agetty_SOURCES = term-utils/agetty.c \
+- lib/plymouth-ctrl.c
++agetty_SOURCES = term-utils/agetty.c
++if USE_PLYMOUTH_SUPPORT
++agetty_SOURCES += lib/plymouth-ctrl.c
++endif
+ agetty_LDADD = $(LDADD) libcommon.la
+ if BSD
+ agetty_LDADD += -lutil
diff --git a/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch b/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch
new file mode 100644
index 0000000..1a12f0f
--- /dev/null
+++ b/debian/patches/upstream/upstream_hwclock-do-not-assume-__NR_settimeofday_time32.patch
@@ -0,0 +1,25 @@
+From: Pino Toscano <toscano.pino@tiscali.it>
+Date: Tue, 17 Nov 2020 11:32:45 +0100
+Subject: [PATCH] hwclock: do not assume __NR_settimeofday_time32
+
+Check that __NR_settimeofday_time32 exists before trying to use it as
+syscall number.
+
+Signed-off-by: Pino Toscano <toscano.pino@tiscali.it>
+---
+ sys-utils/hwclock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/hwclock.c b/sys-utils/hwclock.c
+index c1cfbd3..e50432a 100644
+--- a/sys-utils/hwclock.c
++++ b/sys-utils/hwclock.c
+@@ -678,7 +678,7 @@ display_time(struct timeval hwctime)
+ #ifndef SYS_settimeofday
+ # ifdef __NR_settimeofday
+ # define SYS_settimeofday __NR_settimeofday
+-# else
++# elif defined(__NR_settimeofday_time32)
+ # define SYS_settimeofday __NR_settimeofday_time32
+ # endif
+ #endif