Source: libcap2 Version: 1:2.73-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libcap2. CVE-2025-1390[0]: | The PAM module pam_cap.so of libcap configuration supports group | names starting with “@”, during actual parsing, configurations not | starting with “@” are incorrectly recognized as group names. This | may result in nonintended users being granted an inherited | capability set, potentially leading to security risks. Attackers can | exploit this vulnerability to achieve local privilege escalation on | systems where /etc/security/capability.conf is used to configure | user inherited privileges by constructing specific usernames. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-1390 https://www.cve.org/CVERecord?id=CVE-2025-1390 [1] https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 [2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
