(re-sent, this time to the right recipients. Apologies, it's been a long day)
On 2023-05-15 21:15, Salvatore Bonaccorso wrote: >> +libcap2 (1:2.66-4) unstable; urgency=medium >> + >> + * Apply upstream patches for CVE-2023-2602, CVE-2023-2603 >> + >> + -- Christian Kastner <[email protected]> Mon, 15 May 2023 20:34:57 +0200 > > We had I guess a small overlap in bugreporting, can you as well > include bug closer for #1036114 in your upload? Thanks for catching this, Salvatore. Updated debdiff attached. Best, Christian
diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog --- libcap2-2.66/debian/changelog 2022-12-21 21:19:49.000000000 +0100 +++ libcap2-2.66/debian/changelog 2023-05-15 20:34:57.000000000 +0200 @@ -1,3 +1,10 @@ +libcap2 (1:2.66-4) unstable; urgency=medium + + * Apply upstream patches for CVE-2023-2602, CVE-2023-2603 + (Closes: #1036114) + + -- Christian Kastner <[email protected]> Mon, 15 May 2023 20:34:57 +0200 + libcap2 (1:2.66-3) unstable; urgency=medium * Add gcc to autopkgtest for upstream tests. diff -Nru libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch --- libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch 2023-05-15 20:34:57.000000000 +0200 @@ -0,0 +1,39 @@ +From: "Andrew G. Morgan" <[email protected]> +Date: Wed, 3 May 2023 19:18:36 -0700 +Subject: Correct the check of pthread_create()'s return value. + +This function returns a positive number (errno) on error, so the code +wasn't previously freeing some memory in this situation. + +Discussion: + + https://stackoverflow.com/a/3581020/14760867 + +Credit for finding this bug in libpsx goes to David Gstir of +X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security +audit of the libcap source code in April of 2023. The audit +was sponsored by the Open Source Technology Improvement Fund +(https://ostif.org/). + +Audit ref: LCAP-CR-23-01 (CVE-2023-2602) + +Signed-off-by: Andrew G. Morgan <[email protected]> + +Origin: upstream, https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb +--- + psx/psx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psx/psx.c b/psx/psx.c +index d9c0485..65eb2aa 100644 +--- a/psx/psx.c ++++ b/psx/psx.c +@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr, + pthread_sigmask(SIG_BLOCK, &sigbit, NULL); + + int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter); +- if (ret == -1) { ++ if (ret > 0) { + psx_new_state(_PSX_CREATE, _PSX_IDLE); + memset(starter, 0, sizeof(*starter)); + free(starter); diff -Nru libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch --- libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch 2023-05-15 20:34:57.000000000 +0200 @@ -0,0 +1,53 @@ +From: "Andrew G. Morgan" <[email protected]> +Date: Wed, 3 May 2023 19:44:22 -0700 +Subject: Large strings can confuse libcap's internal strdup code. + +Avoid something subtle with really long strings: 1073741823 should +be enough for anybody. This is an improved fix over something attempted +in libcap-2.55 to address some static analysis findings. + +Reviewing the library, cap_proc_root() and cap_launcher_set_chroot() +are the only two calls where the library is potentially exposed to a +user controlled string input. + +Credit for finding this bug in libcap goes to Richard Weinberger of +X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit +of the libcap source code in April of 2023. The audit was sponsored +by the Open Source Technology Improvement Fund (https://ostif.org/). + +Audit ref: LCAP-CR-23-02 (CVE-2023-2603) + +Signed-off-by: Andrew G. Morgan <[email protected]> + +Origin: upstream, https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18 +--- + libcap/cap_alloc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c +index c826e7a..25f9981 100644 +--- a/libcap/cap_alloc.c ++++ b/libcap/cap_alloc.c +@@ -105,15 +105,17 @@ char *_libcap_strdup(const char *old) + errno = EINVAL; + return NULL; + } +- len = strlen(old) + 1 + 2*sizeof(__u32); +- if (len < sizeof(struct _cap_alloc_s)) { +- len = sizeof(struct _cap_alloc_s); +- } +- if ((len & 0xffffffff) != len) { ++ ++ len = strlen(old); ++ if ((len & 0x3fffffff) != len) { + _cap_debug("len is too long for libcap to manage"); + errno = EINVAL; + return NULL; + } ++ len += 1 + 2*sizeof(__u32); ++ if (len < sizeof(struct _cap_alloc_s)) { ++ len = sizeof(struct _cap_alloc_s); ++ } + + raw_data = calloc(1, len); + if (raw_data == NULL) { diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series --- libcap2-2.66/debian/patches/series 2022-12-21 21:19:49.000000000 +0100 +++ libcap2-2.66/debian/patches/series 2023-05-15 20:34:57.000000000 +0200 @@ -1,2 +1,4 @@ Hide-private-symbols.patch Filter-out-PIE-flags-when-building-shared-objects.patch +Correct-the-check-of-pthread_create-s-return-value.patch +Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
