packages/libcap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!76 [sync] PR-72: fix CVE-2025-1390

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2025-03-04 08:25:23 +00:00 committed by Gitee
commit b769ab1e61
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch Normal file
View File

@ -0,0 +1,32 @@
From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Mon, 17 Feb 2025 10:31:55 +0800
Subject: [PATCH] pam_cap: Fix potential configuration parsing error
The current configuration parsing does not actually skip user names
that do not start with @, but instead treats the name as a group
name for further parsing, which can result in matching unexpected
capability sets and may trigger potential security issues. Only
names starting with @ should be parsed as group names.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
pam_cap/pam_cap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index 24de329..3ec99bb 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
if (line[0] != '@') {
D(("user [%s] is not [%s] - skipping", user, line));
+ continue;
}
int i;
--
2.33.0

7
libcap.spec
View File

@ -1,6 +1,6 @@
Name: libcap Name: libcap
Version: 2.69 Version: 2.69
Release: 3 Release: 4
Summary: A library for getting and setting POSIX.1e draft 15 capabilities Summary: A library for getting and setting POSIX.1e draft 15 capabilities
License: GPLv2 License: GPLv2
URL: https://sites.google.com/site/fullycapable URL: https://sites.google.com/site/fullycapable
@ -11,6 +11,7 @@ Patch1: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
Patch2: support-specify-cc.patch Patch2: support-specify-cc.patch
Patch3: backport-getpcaps-fix-program-name-in-help-message.patch Patch3: backport-getpcaps-fix-program-name-in-help-message.patch
Patch4: backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch Patch4: backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch
Patch5: backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch
BuildRequires: libattr-devel pam-devel perl-interpreter gcc BuildRequires: libattr-devel pam-devel perl-interpreter gcc
@ -73,12 +74,14 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
%{_mandir}/man8/*.gz %{_mandir}/man8/*.gz
%changelog %changelog
* Tue Mar 04 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.69-4
- fix CVE-2025-1390
* Wed Mar 27 2024 yanglongkang <yanglongkang@h-partners.com> - 2.69-3 * Wed Mar 27 2024 yanglongkang <yanglongkang@h-partners.com> - 2.69-3
- backport upstream patches: - backport upstream patches:
getpcaps: fix program name in help message getpcaps: fix program name in help message
Stop using _pam_overwrite() in pam_cap.c Stop using _pam_overwrite() in pam_cap.c
* Sun Apr 16 2023 jammyjellyfish <jammyjellyfish255@outlook.com> - 2.69-2 * Sun Apr 16 2023 jammyjellyfish <jammyjellyfish255@outlook.com> - 2.69-2
- Support specify CC - Support specify CC