--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package libcap2/2.66-4+deb12u1
- From: Christian Kastner <ckk@debian.org>
- Date: Sun, 16 Mar 2025 09:57:10 +0100
- Message-id: <292e213e-4b61-4a0f-91f7-b5698278f860@debian.org>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libcap2@packages.debian.org
Control: affects -1 + src:libcap2
[ Reason ]
This cherry-picks a fix + test for CVE-2025-1390, where capability
configurations not starting with "@" were incorrectly recognized as
group names.
In discussion with the Security Team, we agreed that including this fix
in the next point release for bookworm would be sufficient.
[ Impact ]
The package would remain vulnerable if this change is not accepted.
[ Tests ]
This change includes a test for the fix.
I've built and successfully run the tests against bookworm.
[ Risks ]
The fix is trivial (a continue statement was obviously missing in a
branch of the parsing code).
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
This only add two patches on top of the previous release: one for the
fix, and one for the test.
[ Other info ]
None.
Best,
Christian
diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog 2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/changelog 2025-03-15 13:43:35.000000000 +0100
@@ -1,3 +1,11 @@
+libcap2 (1:2.66-4+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick patch fixing CVE-2025-1390.
+ In /etc/security/capability.conf, configurations not starting with "@"
+ were incorrectly recognized as group names. (Closes: #1098318)
+
+ -- Christian Kastner <ckk@debian.org> Sat, 15 Mar 2025 13:43:35 +0100
+
libcap2 (1:2.66-4) unstable; urgency=medium
* Apply upstream patches for CVE-2023-2602, CVE-2023-2603
diff -Nru libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch
--- libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,26 @@
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Sun, 16 Feb 2025 20:17:08 -0800
+Subject: Add a test for bad group prefix.
+
+The previous commit fixed a bug with the config parsing in pam_cap.
+This is a test that we don't regress against that fix.
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/sudotest.conf | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/pam_cap/sudotest.conf b/pam_cap/sudotest.conf
+index ff528ce..b73244d 100644
+--- a/pam_cap/sudotest.conf
++++ b/pam_cap/sudotest.conf
+@@ -10,6 +10,9 @@ cap_setuid,cap_chown @three
+ # neither of these should fire
+ cap_chown beta gamma
+
++# just alpha, but the wrong prefix - so should be ignored
++!cap_chown,cap_setgid +one
++
+ # just alpha
+ !cap_chown,cap_setuid @one
+
diff -Nru libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch
--- libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,28 @@
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues. Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+
+ if (line[0] != '@') {
+ D(("user [%s] is not [%s] - skipping", user, line));
++ continue;
+ }
+
+ int i;
diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series
--- libcap2-2.66/debian/patches/series 2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/patches/series 2025-03-15 13:43:35.000000000 +0100
@@ -2,3 +2,5 @@
Filter-out-PIE-flags-when-building-shared-objects.patch
Correct-the-check-of-pthread_create-s-return-value.patch
Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
+pam_cap-Fix-potential-configuration-parsing-error.patch
+Add-a-test-for-bad-group-prefix.patch
--- End Message ---