Bug#1100611: bookworm-pu: package libcap2/2.66-4+deb12u1

Sun, 16 Mar 2025 02:00:29 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libc...@packages.debian.org
Control: affects -1 + src:libcap2

[ Reason ]

This cherry-picks a fix + test for CVE-2025-1390, where capability
configurations not starting with "@" were incorrectly recognized as
group names.

In discussion with the Security Team, we agreed that including this fix
in the next point release for bookworm would be sufficient.

[ Impact ]

The package would remain vulnerable if this change is not accepted.

[ Tests ]

This change includes a test for the fix.

I've built and successfully run the tests against bookworm.

[ Risks ]

The fix is trivial (a continue statement was obviously missing in a
branch of the parsing code).

[ Checklist ]

  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]

This only add two patches on top of the previous release: one for the
fix, and one for the test.

[ Other info ]

None.

Best,
Christian
diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog	2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/changelog	2025-03-15 13:43:35.000000000 +0100
@@ -1,3 +1,11 @@
+libcap2 (1:2.66-4+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick patch fixing CVE-2025-1390.
+    In /etc/security/capability.conf, configurations not starting with "@"
+    were incorrectly recognized as group names. (Closes: #1098318)
+
+ -- Christian Kastner <c...@debian.org>  Sat, 15 Mar 2025 13:43:35 +0100
+
 libcap2 (1:2.66-4) unstable; urgency=medium
 
   * Apply upstream patches for CVE-2023-2602, CVE-2023-2603
diff -Nru libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch
--- libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch	2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,26 @@
+From: "Andrew G. Morgan" <mor...@kernel.org>
+Date: Sun, 16 Feb 2025 20:17:08 -0800
+Subject: Add a test for bad group prefix.
+
+The previous commit fixed a bug with the config parsing in pam_cap.
+This is a test that we don't regress against that fix.
+
+Signed-off-by: Andrew G. Morgan <mor...@kernel.org>
+---
+ pam_cap/sudotest.conf | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/pam_cap/sudotest.conf b/pam_cap/sudotest.conf
+index ff528ce..b73244d 100644
+--- a/pam_cap/sudotest.conf
++++ b/pam_cap/sudotest.conf
+@@ -10,6 +10,9 @@ cap_setuid,cap_chown               @three
+ # neither of these should fire
+ cap_chown                          beta gamma
+ 
++# just alpha, but the wrong prefix - so should be ignored
++!cap_chown,cap_setgid              +one
++
+ # just alpha
+ !cap_chown,cap_setuid              @one
+ 
diff -Nru libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch
--- libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch	2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,28 @@
+From: Tianjia Zhang <tianjia.zh...@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zh...@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <mor...@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series
--- libcap2-2.66/debian/patches/series	2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/patches/series	2025-03-15 13:43:35.000000000 +0100
@@ -2,3 +2,5 @@
 Filter-out-PIE-flags-when-building-shared-objects.patch
 Correct-the-check-of-pthread_create-s-return-value.patch
 Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
+pam_cap-Fix-potential-configuration-parsing-error.patch
+Add-a-test-for-bad-group-prefix.patch

Reply via email to