Version in base suite: 2.66-4 Base version: libcap2_2.66-4 Target version: libcap2_2.66-4+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcap2/libcap2_2.66-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcap2/libcap2_2.66-4+deb12u1.dsc changelog | 8 ++ patches/Add-a-test-for-bad-group-prefix.patch | 26 +++++++++ patches/pam_cap-Fix-potential-configuration-parsing-error.patch | 28 ++++++++++ patches/series | 2 4 files changed, 64 insertions(+) diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog --- libcap2-2.66/debian/changelog 2023-05-15 18:34:57.000000000 +0000 +++ libcap2-2.66/debian/changelog 2025-03-15 12:43:35.000000000 +0000 @@ -1,3 +1,11 @@ +libcap2 (1:2.66-4+deb12u1) bookworm; urgency=medium + + * Cherry-pick patch fixing CVE-2025-1390. + In /etc/security/capability.conf, configurations not starting with "@" + were incorrectly recognized as group names. (Closes: #1098318) + + -- Christian Kastner Sat, 15 Mar 2025 13:43:35 +0100 + libcap2 (1:2.66-4) unstable; urgency=medium * Apply upstream patches for CVE-2023-2602, CVE-2023-2603 diff -Nru libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch --- libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 1970-01-01 00:00:00.000000000 +0000 +++ libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 2025-03-15 12:43:35.000000000 +0000 @@ -0,0 +1,26 @@ +From: "Andrew G. Morgan" +Date: Sun, 16 Feb 2025 20:17:08 -0800 +Subject: Add a test for bad group prefix. + +The previous commit fixed a bug with the config parsing in pam_cap. +This is a test that we don't regress against that fix. + +Signed-off-by: Andrew G. Morgan +--- + pam_cap/sudotest.conf | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/pam_cap/sudotest.conf b/pam_cap/sudotest.conf +index ff528ce..b73244d 100644 +--- a/pam_cap/sudotest.conf ++++ b/pam_cap/sudotest.conf +@@ -10,6 +10,9 @@ cap_setuid,cap_chown @three + # neither of these should fire + cap_chown beta gamma + ++# just alpha, but the wrong prefix - so should be ignored ++!cap_chown,cap_setgid +one ++ + # just alpha + !cap_chown,cap_setuid @one + diff -Nru libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch --- libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 2025-03-15 12:43:35.000000000 +0000 @@ -0,0 +1,28 @@ +From: Tianjia Zhang +Date: Mon, 17 Feb 2025 10:31:55 +0800 +Subject: pam_cap: Fix potential configuration parsing error + +The current configuration parsing does not actually skip user names +that do not start with @, but instead treats the name as a group +name for further parsing, which can result in matching unexpected +capability sets and may trigger potential security issues. Only +names starting with @ should be parsed as group names. + +Signed-off-by: Tianjia Zhang +Signed-off-by: Andrew G. Morgan +--- + pam_cap/pam_cap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c +index 24de329..3ec99bb 100644 +--- a/pam_cap/pam_cap.c ++++ b/pam_cap/pam_cap.c +@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source) + + if (line[0] != '@') { + D(("user [%s] is not [%s] - skipping", user, line)); ++ continue; + } + + int i; diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series --- libcap2-2.66/debian/patches/series 2023-05-15 18:34:57.000000000 +0000 +++ libcap2-2.66/debian/patches/series 2025-03-15 12:43:35.000000000 +0000 @@ -2,3 +2,5 @@ Filter-out-PIE-flags-when-building-shared-objects.patch Correct-the-check-of-pthread_create-s-return-value.patch Large-strings-can-confuse-libcap-s-internal-strdup-code.patch +pam_cap-Fix-potential-configuration-parsing-error.patch +Add-a-test-for-bad-group-prefix.patch