Bug#1036123: marked as done ([pre-approval] unblock: libcap2/1:2.66-4)

Debian Bug Tracking System Tue, 23 May 2023 12:51:32 -0700

Your message dated Tue, 23 May 2023 21:47:47 +0200
with message-id <[email protected]>
and subject line Re: Bug#1036123: [pre-approval] unblock: libcap2/1:2.66-4
has caused the Debian Bug report #1036123,
regarding [pre-approval] unblock: libcap2/1:2.66-4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1036123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036123
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libcap2

Please unblock package libcap2

This fixes two minor CVEs for which the fix was published today. The fix
consists of cherry-picking two small patches from upstream.

I'm erring on the side of caution here and asking for pre-approval, as
the issues this fixes were considered to be minor and I'm not sure
whether "CVE" by itself automatically satisfies the threshold for direct
upload.

[ Reason ]
Fix for two security issues.

[ Impact ]
Without this release, users will be left vulnerable to two minor issues.

[ Tests ]
All upstream tests passed, including those requiring root (tested within
a VM).

[ Risks ]
Little to none. The two patches are trivial.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock libcap2/1:2.66-4

diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog       2022-12-21 21:19:49.000000000 +0100
+++ libcap2-2.66/debian/changelog       2023-05-15 20:34:57.000000000 +0200
@@ -1,3 +1,9 @@
+libcap2 (1:2.66-4) unstable; urgency=medium
+
+  * Apply upstream patches for CVE-2023-2602, CVE-2023-2603
+
+ -- Christian Kastner <[email protected]>  Mon, 15 May 2023 20:34:57 +0200
+
 libcap2 (1:2.66-3) unstable; urgency=medium
 
   * Add gcc to autopkgtest for upstream tests.
diff -Nru 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
--- 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
libcap2-2.66/debian/patches/Correct-the-check-of-pthread_create-s-return-value.patch
        2023-05-15 20:34:57.000000000 +0200
@@ -0,0 +1,39 @@
+From: "Andrew G. Morgan" <[email protected]>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan <[email protected]>
+
+Origin: upstream, 
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
++++ b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const 
pthread_attr_t *attr,
+     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
+ 
+     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-    if (ret == -1) {
++    if (ret > 0) {
+       psx_new_state(_PSX_CREATE, _PSX_IDLE);
+       memset(starter, 0, sizeof(*starter));
+       free(starter);
diff -Nru 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
--- 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
libcap2-2.66/debian/patches/Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
   2023-05-15 20:34:57.000000000 +0200
@@ -0,0 +1,53 @@
+From: "Andrew G. Morgan" <[email protected]>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <[email protected]>
+
+Origin: upstream, 
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
+index c826e7a..25f9981 100644
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -105,15 +105,17 @@ char *_libcap_strdup(const char *old)
+       errno = EINVAL;
+       return NULL;
+     }
+-    len = strlen(old) + 1 + 2*sizeof(__u32);
+-    if (len < sizeof(struct _cap_alloc_s)) {
+-      len = sizeof(struct _cap_alloc_s);
+-    }
+-    if ((len & 0xffffffff) != len) {
++
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
+       _cap_debug("len is too long for libcap to manage");
+       errno = EINVAL;
+       return NULL;
+     }
++    len += 1 + 2*sizeof(__u32);
++    if (len < sizeof(struct _cap_alloc_s)) {
++      len = sizeof(struct _cap_alloc_s);
++    }
+ 
+     raw_data = calloc(1, len);
+     if (raw_data == NULL) {
diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series
--- libcap2-2.66/debian/patches/series  2022-12-21 21:19:49.000000000 +0100
+++ libcap2-2.66/debian/patches/series  2023-05-15 20:34:57.000000000 +0200
@@ -1,2 +1,4 @@
 Hide-private-symbols.patch
 Filter-out-PIE-flags-when-building-shared-objects.patch
+Correct-the-check-of-pthread_create-s-return-value.patch
+Large-strings-can-confuse-libcap-s-internal-strdup-code.patch

--- End Message ---

--- Begin Message ---
Hi,

On 23-05-2023 19:40, Cyril Brulebois wrote:
CVE fixes in libcap2. Can you ACK (or udeb-unblock)?
No objections.
unblocked.

Paul
OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Bug#1036123: marked as done ([pre-approval] unblock: libcap2/1:2.66-4)

Reply via email to