[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036123: marked as done ([pre-approval] unblock: libcap2/1:2.66-4)

Your message dated Tue, 23 May 2023 21:47:47 +0200
with message-id <983f050d-f27d-29cb-4355-37336f6bcfea@debian.org>
and subject line Re: Bug#1036123: [pre-approval] unblock: libcap2/1:2.66-4
has caused the Debian Bug report #1036123,
regarding [pre-approval] unblock: libcap2/1:2.66-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036123
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libcap2@packages.debian.org
Control: affects -1 + src:libcap2

Please unblock package libcap2

This fixes two minor CVEs for which the fix was published today. The fix
consists of cherry-picking two small patches from upstream.

I'm erring on the side of caution here and asking for pre-approval, as
the issues this fixes were considered to be minor and I'm not sure
whether "CVE" by itself automatically satisfies the threshold for direct
upload.

[ Reason ]
Fix for two security issues.

[ Impact ]
Without this release, users will be left vulnerable to two minor issues.

[ Tests ]
All upstream tests passed, including those requiring root (tested within
a VM).

[ Risks ]
Little to none. The two patches are trivial.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock libcap2/1:2.66-4
diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog	2022-12-21 21:19:49.000000000 +0100
+++ libcap2-2.66/debian/changelog	2023-05-15 20:34:57.000000000 +0200
@@ -1,3 +1,9 @@
+libcap2 (1:2.66-4) unstable; urgency=medium
+
+  * Apply upstream patches for CVE-2023-2602, CVE-2023-2603
+
+ -- Christian Kastner <ckk@debian.org>  Mon, 15 May 2023 20:34:57 +0200
+
 libcap2 (1:2.66-3) unstable; urgency=medium
 
   * Add gcc to autopkgtest for upstream tests.
diff -Nru libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
--- libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch	2023-05-15 20:34:57.000000000 +0200
@@ -0,0 +1,39 @@
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Origin: upstream, https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
++++ b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
+     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
+ 
+     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-    if (ret == -1) {
++    if (ret > 0) {
+ 	psx_new_state(_PSX_CREATE, _PSX_IDLE);
+ 	memset(starter, 0, sizeof(*starter));
+ 	free(starter);
diff -Nru libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
--- libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch	2023-05-15 20:34:57.000000000 +0200
@@ -0,0 +1,53 @@
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Origin: upstream, https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
+index c826e7a..25f9981 100644
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -105,15 +105,17 @@ char *_libcap_strdup(const char *old)
+ 	errno = EINVAL;
+ 	return NULL;
+     }
+-    len = strlen(old) + 1 + 2*sizeof(__u32);
+-    if (len < sizeof(struct _cap_alloc_s)) {
+-	len = sizeof(struct _cap_alloc_s);
+-    }
+-    if ((len & 0xffffffff) != len) {
++
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
+ 	_cap_debug("len is too long for libcap to manage");
+ 	errno = EINVAL;
+ 	return NULL;
+     }
++    len += 1 + 2*sizeof(__u32);
++    if (len < sizeof(struct _cap_alloc_s)) {
++	len = sizeof(struct _cap_alloc_s);
++    }
+ 
+     raw_data = calloc(1, len);
+     if (raw_data == NULL) {
diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series
--- libcap2-2.66/debian/patches/series	2022-12-21 21:19:49.000000000 +0100
+++ libcap2-2.66/debian/patches/series	2023-05-15 20:34:57.000000000 +0200
@@ -1,2 +1,4 @@
 Hide-private-symbols.patch
 Filter-out-PIE-flags-when-building-shared-objects.patch
+Correct-the-check-of-pthread_create-s-return-value.patch
+Large-strings-can-confuse-libcap-s-internal-strdup-code.patch

--- End Message ---
--- Begin Message --- 
Hi,

On 23-05-2023 19:40, Cyril Brulebois wrote:

CVE fixes in libcap2. Can you ACK (or udeb-unblock)?



No objections.


unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: