packages/libcap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-2603

Browse Source 
Signed-off-by: yunjia_w <yunjia.wang@huawei.com>
This commit is contained in:
yunjia_w 2023-05-31 14:28:27 +08:00
parent 7b3d169ca8
commit e06bd3cb36
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch Normal file
View File

@ -0,0 +1,57 @@
From e362c60eb89c923acda7efd4a23ca6d4df1cf965 Mon Sep 17 00:00:00 2001
From: yunjia_w <yunjia.wang@huawei.com>
Date: Wed, 31 May 2023 11:34:54 +0800
Subject: [PATCH] Large strings can confuse libcap's internal strdup
code.
Avoid something subtle with really long strings: 1073741823 should
be enough for anybody. This is an improved fix over something attempted
in libcap-2.55 to address some static analysis findings.
Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
are the only two calls where the library is potentially exposed to a
user controlled string input.
Credit for finding this bug in libcap goes to Richard Weinberger of
X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
of the libcap source code in April of 2023. The audit was sponsored
by the Open Source Technology Improvement Fund (https://ostif.org/).
Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: wangyunjia <yunjia.wang@huawei.com>
---
libcap/cap_alloc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
index 57991a5..0849808 100644
--- a/libcap/cap_alloc.c
+++ b/libcap/cap_alloc.c
@@ -76,13 +76,20 @@ cap_t cap_init(void)
char *_libcap_strdup(const char *old)
{
__u32 *raw_data;
+ size_t len;
if (old == NULL) {
errno = EINVAL;
return NULL;
}
- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+ len = strlen(old);
+ if ((len & 0x3fffffff) != len) {
+ _cap_debug("len is too long for libcap to manage");
+ errno = EINVAL;
+ return NULL;
+ }
+ raw_data = malloc( sizeof(__u32) + len + 1 );
if (raw_data == NULL) {
errno = ENOMEM;
return NULL;
--
2.27.0

6
libcap.spec
View File

@ -1,6 +1,6 @@
Name: libcap
Version: 2.32
Release: 5
Release: 6
Summary: A library for getting and setting POSIX.1e draft 15 capabilities
License: GPLv2
URL: https://sites.google.com/site/fullycapable
@ -13,6 +13,7 @@ Patch3: backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patc
Patch4: backport-If-needed-search-PATH-for-capsh-self-execution.patch
Patch5: backport-Guarantee-sufficient-memory-for-scratch-pathname.patch
Patch6: backport-getpcaps-catch-PID-parsing-errors.patch
Patch7: backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
BuildRequires: libattr-devel pam-devel perl-interpreter gcc
@ -73,6 +74,9 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
%{_mandir}/man8/*.gz
%changelog
* Wed May 31 2023 wangyunjia <yunjia.wang@huawei.com> - 2.32-6
- fix CVE-2023-2603
* Thu Feb 16 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 2.32-5
- backport patch
backport getpcaps catch PID parsing errors