From 286571f20a74cf604308332268baf3d156ca3443 Mon Sep 17 00:00:00 2001
From: yunjia_w <yunjia.wang@huawei.com>
Date: Wed, 31 May 2023 14:41:42 +0800
Subject: [PATCH] fix CVE-2023-2602/CVE-2023-2603 && fix memory leaks

Signed-off-by: yunjia_w <yunjia.wang@huawei.com>
---
 ...eck-of-pthread_create-s-return-value.patch | 41 ++++++++++++++
 ...n-confuse-libcap-s-internal-strdup-c.patch | 55 +++++++++++++++++++
 ...l-memory-leak-in-pam_cap.so-when-lib.patch | 48 ++++++++++++++++
 libcap.spec                                   |  8 ++-
 4 files changed, 151 insertions(+), 1 deletion(-)
 create mode 100644 backport-Correct-the-check-of-pthread_create-s-return-value.patch
 create mode 100644 backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
 create mode 100644 backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch

diff --git a/backport-Correct-the-check-of-pthread_create-s-return-value.patch b/backport-Correct-the-check-of-pthread_create-s-return-value.patch
new file mode 100644
index 0000000..8673233
--- /dev/null
+++ b/backport-Correct-the-check-of-pthread_create-s-return-value.patch
@@ -0,0 +1,41 @@
+From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: [PATCH] Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
++++ b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
+     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
+ 
+     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-    if (ret == -1) {
++    if (ret > 0) {
+ 	psx_new_state(_PSX_CREATE, _PSX_IDLE);
+ 	memset(starter, 0, sizeof(*starter));
+ 	free(starter);
+-- 
+2.27.0
+
diff --git a/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch b/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
new file mode 100644
index 0000000..003c30d
--- /dev/null
+++ b/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
@@ -0,0 +1,55 @@
+From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: [PATCH] Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
+index 59fe503..504abd2 100644
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -106,15 +106,17 @@ __attribute__((visibility ("hidden"))) char *_libcap_strdup(const char *old)
+ 	errno = EINVAL;
+ 	return NULL;
+     }
+-    len = strlen(old) + 1 + 2*sizeof(__u32);
+-    if (len < sizeof(struct _cap_alloc_s)) {
+-	len = sizeof(struct _cap_alloc_s);
+-    }
+-    if ((len & 0xffffffff) != len) {
++
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
+ 	_cap_debug("len is too long for libcap to manage");
+ 	errno = EINVAL;
+ 	return NULL;
+     }
++    len += 1 + 2*sizeof(__u32);
++    if (len < sizeof(struct _cap_alloc_s)) {
++	len = sizeof(struct _cap_alloc_s);
++    }
+ 
+     raw_data = calloc(1, len);
+     if (raw_data == NULL) {
+-- 
+2.27.0
+
diff --git a/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch b/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch
new file mode 100644
index 0000000..cb4cc96
--- /dev/null
+++ b/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch
@@ -0,0 +1,48 @@
+From 917c8b5d3450870b4f25fd4a5a5198faa9de9aeb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 20:12:52 -0700
+Subject: [PATCH] There was a small memory leak in pam_cap.so when libpam
+ returned an error.
+
+The function pam_set_data() takes ownership of a memory pointer if
+the call succeeds, but does not take that ownership if the function
+fails. Previously, the failure caused no deferred capability setting and
+a return code PAM_IGNORE. It continues to do that in this case, but no
+longer leaks the allocated iab memory.
+
+This bug was introduced with deferred IAB capability setting support in
+libcap-2.58.
+
+Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH
+(https://x41-dsec.de/) who performed a security audit of the libcap
+source code in April of 2023. The audit was sponsored by the Open
+Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-100
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 7e8cade..91278dc 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -290,7 +290,12 @@ static int set_capabilities(struct pam_cap_s *cs)
+ 
+     if (cs->defer) {
+ 	D(("configured to delay applying IAB"));
+-	pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
++	int ret = pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
++	if (ret != PAM_SUCCESS) {
++	    D(("unable to cache capabilities for delayed setting: %d", ret));
++	    /* since ok=0, the module will return PAM_IGNORE */
++	    cap_free(iab);
++	}
+ 	iab = NULL;
+     } else if (!cap_iab_set_proc(iab)) {
+ 	D(("able to set the IAB [%s] value", conf_caps));
+-- 
+2.27.0
+
diff --git a/libcap.spec b/libcap.spec
index 21b6324..fee4743 100644
--- a/libcap.spec
+++ b/libcap.spec
@@ -1,12 +1,15 @@
 Name:     libcap
 Version:  2.66
-Release:  1
+Release:  2
 Summary:  A library for getting and setting POSIX.1e draft 15 capabilities        
 License:  GPLv2
 URL:      https://sites.google.com/site/fullycapable
 Source0:  https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
 
 Patch0:   libcap-buildflags.patch
+Patch1:   backport-Correct-the-check-of-pthread_create-s-return-value.patch
+Patch2:   backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
+Patch3:   backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch 
 
 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 
@@ -70,6 +73,9 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %{_mandir}/man8/*.gz
 
 %changelog
+* Mon Jan 30 2023 wangyunjia <yunjia.wang@huawei.com> - 2.66-2
+- fix CVE-2023-2602/CVE-2023-2603 && fix memory leaks
+
 * Mon Jan 30 2023 wangyunjia <yunjia.wang@huawei.com> - 2.66-1
 - update version to 2.66
 
-- 
Gitee