Your message dated Wed, 19 Feb 2025 22:52:03 +0000
with message-id <[email protected]>
and subject line Bug#1098318: fixed in libcap2 1:2.73-4
has caused the Debian Bug report #1098318,
regarding libcap2: CVE-2025-1390
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098318: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcap2
Version: 1:2.73-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcap2.
CVE-2025-1390[0]:
| The PAM module pam_cap.so of libcap configuration supports group
| names starting with “@”, during actual parsing, configurations not
| starting with “@” are incorrectly recognized as group names. This
| may result in nonintended users being granted an inherited
| capability set, potentially leading to security risks. Attackers can
| exploit this vulnerability to achieve local privilege escalation on
| systems where /etc/security/capability.conf is used to configure
| user inherited privileges by constructing specific usernames.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-1390
https://www.cve.org/CVERecord?id=CVE-2025-1390
[1] https://bugzilla.openanolis.cn/show_bug.cgi?id=18804
[2]
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcap2
Source-Version: 1:2.73-4
Done: Christian Kastner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcap2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Kastner <[email protected]> (supplier of updated libcap2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 19 Feb 2025 23:17:43 +0100
Source: libcap2
Architecture: source
Version: 1:2.73-4
Distribution: unstable
Urgency: medium
Maintainer: Christian Kastner <[email protected]>
Changed-By: Christian Kastner <[email protected]>
Closes: 1098318
Changes:
libcap2 (1:2.73-4) unstable; urgency=medium
.
* Cherry-pick patch fixing CVE-2025-1390.
In /etc/security/capability.conf, configurations not starting with "@"
were incorrectly recognized as group names. (Closes: #1098318)
* Fix bug number in previous changelog entry
Checksums-Sha1:
92e8ba76aaecc80121699e8ee1d22d4f30686929 2204 libcap2_2.73-4.dsc
f176a22a83f4f71ea8597f5cc148cfabe3e3ede9 20240 libcap2_2.73-4.debian.tar.xz
11f14a4edb720b6b401ede387dd0c96a3a83e745 5789 libcap2_2.73-4_source.buildinfo
Checksums-Sha256:
33e0bb700338a2fd666b388580dec16d42661939a7e4b28a3fdcdf14caf7dc99 2204
libcap2_2.73-4.dsc
36bf2f519aa1161b45de2985a72903db1dae99b6c5f798c27386a7077e95c17e 20240
libcap2_2.73-4.debian.tar.xz
2751cca7722fae7b79b42c4256f6b9f178e6f9bace63957d95f43c1473ebe74e 5789
libcap2_2.73-4_source.buildinfo
Files:
85071042c3899dc1556f4bb33da4e055 2204 libs optional libcap2_2.73-4.dsc
ee91fbbafe73ef3870c7f875dbfd4188 20240 libs optional
libcap2_2.73-4.debian.tar.xz
3329133b458507f55d3c0cddd6d23787 5789 libs optional
libcap2_2.73-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQZ9+mkfDq5UZ8bCjOZU6N95Os2sFAme2XDgACgkQOZU6N95O
s2s5thAAo8FretpCQfHAvzyqT1IfbnAjDLlwDwcF4JUBkTmL9dWv+oG5wYqjB/Ju
LcN8km42UG7tXxGDTZA9jMxJmQRQFzB9ykA3k8FL8JUEJrzsIppbbCJHCoZWXy1w
bs+T2m/Iqrnid+mIbUUPj5GXjVGwK1sivUBQUdkunwiu55s2TLN5Hk1YpISF44XD
Xzq2mg2pm4Uh+ju4qODcvJvLCf7BwE/U3C7u8X/7s6p24NYPAdbL+yovMiBdwtsx
eqF39PzfvwbVz9bRC2AnzP8x0K30mKT9IPUTZ79rTGagKlkEHj5i1PHOcHFLnlc1
LTyXgYxnMBjLW9viQZkCanNOyFNdwtyrV615AyzZuIMOwIHL+YZCxAkOlmxa19Vw
HeMXXX7vhhRnklER2se/pfni7lS5w4KBQaFX0KmzVwpqj0uiR8NFyc/ycgsgP8/b
2VnEoDBEPnkwt6mzYEl2YQTQFYF+rHrx1yEqXS6rwWf7gERld67Wz0ELY0SQ//us
ceb5qniTEeY1wv7THJUGSekxxnpAiWw6RAtVqfUEuzadPWBB6q2TrX7z7DzArcEs
mAdfH2/OW6ctUVfGCW7eEyJHu5CM/im7LCSoGh4SJ39gOpUCIZk9vmSIorplqnGQ
6vEDFckd0WUZMFMKXgGb1KF232+IoAVNfQ2ZU3zwT5aKuA4c5+o=
=I/o0
-----END PGP SIGNATURE-----
pgpgyGSUguRpU.pgp
Description: PGP signature
--- End Message ---
