diff --git a/backport-Correct-the-check-of-pthread_create-s-return-value.patch b/backport-Correct-the-check-of-pthread_create-s-return-value.patch deleted file mode 100644 index 867323393dbaafb07b57f026a05dd3ed09a8d08e..0000000000000000000000000000000000000000 --- a/backport-Correct-the-check-of-pthread_create-s-return-value.patch +++ /dev/null @@ -1,41 +0,0 @@ -From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Wed, 3 May 2023 19:18:36 -0700 -Subject: [PATCH] Correct the check of pthread_create()'s return value. - -This function returns a positive number (errno) on error, so the code -wasn't previously freeing some memory in this situation. - -Discussion: - - https://stackoverflow.com/a/3581020/14760867 - -Credit for finding this bug in libpsx goes to David Gstir of -X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security -audit of the libcap source code in April of 2023. The audit -was sponsored by the Open Source Technology Improvement Fund -(https://ostif.org/). - -Audit ref: LCAP-CR-23-01 (CVE-2023-2602) - -Signed-off-by: Andrew G. Morgan ---- - psx/psx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/psx/psx.c b/psx/psx.c -index d9c0485..65eb2aa 100644 ---- a/psx/psx.c -+++ b/psx/psx.c -@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr, - pthread_sigmask(SIG_BLOCK, &sigbit, NULL); - - int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter); -- if (ret == -1) { -+ if (ret > 0) { - psx_new_state(_PSX_CREATE, _PSX_IDLE); - memset(starter, 0, sizeof(*starter)); - free(starter); --- -2.27.0 - diff --git a/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch b/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch deleted file mode 100644 index 003c30d0c523b1623c294b16733a651b42c5bba0..0000000000000000000000000000000000000000 --- a/backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Wed, 3 May 2023 19:44:22 -0700 -Subject: [PATCH] Large strings can confuse libcap's internal strdup code. - -Avoid something subtle with really long strings: 1073741823 should -be enough for anybody. This is an improved fix over something attempted -in libcap-2.55 to address some static analysis findings. - -Reviewing the library, cap_proc_root() and cap_launcher_set_chroot() -are the only two calls where the library is potentially exposed to a -user controlled string input. - -Credit for finding this bug in libcap goes to Richard Weinberger of -X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit -of the libcap source code in April of 2023. The audit was sponsored -by the Open Source Technology Improvement Fund (https://ostif.org/). - -Audit ref: LCAP-CR-23-02 (CVE-2023-2603) - -Signed-off-by: Andrew G. Morgan ---- - libcap/cap_alloc.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c -index 59fe503..504abd2 100644 ---- a/libcap/cap_alloc.c -+++ b/libcap/cap_alloc.c -@@ -106,15 +106,17 @@ __attribute__((visibility ("hidden"))) char *_libcap_strdup(const char *old) - errno = EINVAL; - return NULL; - } -- len = strlen(old) + 1 + 2*sizeof(__u32); -- if (len < sizeof(struct _cap_alloc_s)) { -- len = sizeof(struct _cap_alloc_s); -- } -- if ((len & 0xffffffff) != len) { -+ -+ len = strlen(old); -+ if ((len & 0x3fffffff) != len) { - _cap_debug("len is too long for libcap to manage"); - errno = EINVAL; - return NULL; - } -+ len += 1 + 2*sizeof(__u32); -+ if (len < sizeof(struct _cap_alloc_s)) { -+ len = sizeof(struct _cap_alloc_s); -+ } - - raw_data = calloc(1, len); - if (raw_data == NULL) { --- -2.27.0 - diff --git a/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch b/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch deleted file mode 100644 index cb4cc9658bb009c6d68e1f1ae28eba9e70ba4a76..0000000000000000000000000000000000000000 --- a/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 917c8b5d3450870b4f25fd4a5a5198faa9de9aeb Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Wed, 3 May 2023 20:12:52 -0700 -Subject: [PATCH] There was a small memory leak in pam_cap.so when libpam - returned an error. - -The function pam_set_data() takes ownership of a memory pointer if -the call succeeds, but does not take that ownership if the function -fails. Previously, the failure caused no deferred capability setting and -a return code PAM_IGNORE. It continues to do that in this case, but no -longer leaks the allocated iab memory. - -This bug was introduced with deferred IAB capability setting support in -libcap-2.58. - -Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH -(https://x41-dsec.de/) who performed a security audit of the libcap -source code in April of 2023. The audit was sponsored by the Open -Source Technology Improvement Fund (https://ostif.org/). - -Audit ref: LCAP-CR-23-100 - -Signed-off-by: Andrew G. Morgan ---- - pam_cap/pam_cap.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c -index 7e8cade..91278dc 100644 ---- a/pam_cap/pam_cap.c -+++ b/pam_cap/pam_cap.c -@@ -290,7 +290,12 @@ static int set_capabilities(struct pam_cap_s *cs) - - if (cs->defer) { - D(("configured to delay applying IAB")); -- pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); -+ int ret = pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); -+ if (ret != PAM_SUCCESS) { -+ D(("unable to cache capabilities for delayed setting: %d", ret)); -+ /* since ok=0, the module will return PAM_IGNORE */ -+ cap_free(iab); -+ } - iab = NULL; - } else if (!cap_iab_set_proc(iab)) { - D(("able to set the IAB [%s] value", conf_caps)); --- -2.27.0 - diff --git a/libcap-2.66.tar.gz b/libcap-2.66.tar.gz deleted file mode 100644 index ec23402f336849795f4fff6a9ec9bf78db489695..0000000000000000000000000000000000000000 Binary files a/libcap-2.66.tar.gz and /dev/null differ diff --git a/libcap-2.69.tar.gz b/libcap-2.69.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ade15d691788330ded422700cbe7923b4ff33924 Binary files /dev/null and b/libcap-2.69.tar.gz differ diff --git a/libcap.spec b/libcap.spec index da7355c72a9cbc3a8f71ff63f9e49dd273dcdd79..ac47e5d7d27d35eed46ef940d0b90124fb640aaf 100644 --- a/libcap.spec +++ b/libcap.spec @@ -1,16 +1,13 @@ Name: libcap -Version: 2.66 -Release: 3 +Version: 2.69 +Release: 1 Summary: A library for getting and setting POSIX.1e draft 15 capabilities License: GPLv2 URL: https://sites.google.com/site/fullycapable Source0: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz Patch0: libcap-buildflags.patch -Patch1: backport-Correct-the-check-of-pthread_create-s-return-value.patch -Patch2: backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch -Patch3: backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch -Patch4: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch +Patch1: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch BuildRequires: libattr-devel pam-devel perl-interpreter gcc @@ -55,7 +52,6 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %files %defattr(-,root,root) %license License -%doc doc/capability.notes %{_libdir}/*.so.* %{_sbindir}/* %{_libdir}/security/pam_cap.so @@ -74,6 +70,9 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %{_mandir}/man8/*.gz %changelog +* Thu Jul 20 2023 wangyunjia - 2.69-1 +- update version to 2.69 + * Mon Jul 3 2023 wangyunjia - 2.66-3 - VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build