!53 VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build

From: @yunjia_w 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Guarantee-sufficient-memory-for-scratch-pathname.patch

@@ -0,0 +1,29 @@
+From 9d8eaab7f74cf1d925910901e5181173ab11d14d Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 28 Oct 2020 06:59:36 -0700
+Subject: Guarantee sufficient memory for scratch pathname
+
+Fix a malloc bug with single entry/short PATHs in capsh code for "=="
+support.
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ progs/capsh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/progs/capsh.c b/progs/capsh.c
+index 95c02fd..6bc54bf 100644
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -366,7 +366,7 @@ static char *find_self(const char *arg0)
+     }
+ 
+     parts = strdup(path);
+-    scratch = malloc(1+strlen(path));
++    scratch = malloc(2+strlen(path)+strlen(arg0));
+     if (parts == NULL || scratch == NULL) {
+         fprintf(stderr, "insufficient memory for path building\n");
+ 	exit(1);
+-- 
+cgit 1.2.3-1.el7
+

backport-If-needed-search-PATH-for-capsh-self-execution.patch

@@ -0,0 +1,148 @@
+From 68240b124cc62744a7a412a7afc85b5c56a48e14 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Tue, 27 Oct 2020 14:56:34 -0700
+Subject: If needed search PATH for capsh (==) self-execution.
+
+This addresses the following bug:
+
+  https://bugzilla.kernel.org/show_bug.cgi?id=209873
+
+Namely, the following didn't previously work:
+
+  PATH=/sbin capsh == --print
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ doc/capsh.1        | 14 ++++++++++---
+ progs/capsh.c      | 51 ++++++++++++++++++++++++++++++++++++++++++++--
+ progs/quicktest.sh |  7 +++++++
+ 3 files changed, 67 insertions(+), 5 deletions(-)
+
+diff --git a/doc/capsh.1 b/doc/capsh.1
+index 1e28b59..aee44d5 100644
+--- a/doc/capsh.1
++++ b/doc/capsh.1
+@@ -1,4 +1,4 @@
+-.TH CAPSH 1 "2020-01-07" "libcap 2" "User Commands"
++.TH CAPSH 1 "2020-10-27" "libcap 2" "User Commands"
+ .SH NAME
+ capsh \- capability shell wrapper
+ .SH SYNOPSIS
+@@ -32,7 +32,15 @@ Execute
+ .B capsh
+ again with remaining arguments. Useful for testing
+ .BR exec ()
+-behavior.
++behavior. Note, PATH is searched when the running
++.B capsh
++was found via the shell's PATH searching. If the
++.B exec
++occurs after a
++.BI \-\-chroot= /some/path
++argument the PATH located binary may not be resolve to the same binary
++as that running initially. This behavior is an intented feature as it
++can complete the chroot transition.
+ .TP
+ .BI --caps= cap-set
+ Set the prevailing process capabilities to those specified by
+@@ -165,7 +173,7 @@ header file. The program will list these bits via the
+ .B --print
+ command.
+ .TP
+-.BI --chroot= path
++.BI --chroot= /some/path
+ Execute the
+ .BR chroot (2)
+ system call with the new root-directory (/) equal to
+diff --git a/progs/capsh.c b/progs/capsh.c
+index 68b657d..95c02fd 100644
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -340,6 +340,49 @@ static void arg_change_amb(const char *arg_names, cap_flag_value_t set)
+     free(names);
+ }
+ 
++/*
++ * find_self locates and returns the full pathname of the named binary
++ * that is running. Importantly, it looks in the context of the
++ * prevailing CHROOT. Further, it does not fail over to invoking a
++ * shell if the target binary looks like something other than a
++ * executable. If an executable is not found, the function terminates
++ * the program with an error.
++ */
++static char *find_self(const char *arg0)
++{
++    int i;
++    char *parts, *dir, *scratch;
++    const char *path;
++
++    for (i = strlen(arg0)-1; i >= 0 && arg0[i] != '/'; i--);
++    if (i >= 0) {
++        return strdup(arg0);
++    }
++
++    path = getenv("PATH");
++    if (path == NULL) {
++        fprintf(stderr, "no PATH environment variable found for re-execing\n");
++	exit(1);
++    }
++
++    parts = strdup(path);
++    scratch = malloc(1+strlen(path));
++    if (parts == NULL || scratch == NULL) {
++        fprintf(stderr, "insufficient memory for path building\n");
++	exit(1);
++    }
++
++    for (i=0; (dir = strtok(parts, ":")); parts = NULL) {
++        sprintf(scratch, "%s/%s", dir, arg0);
++	if (access(scratch, X_OK) == 0) {
++            return scratch;
++	}
++    }
++
++    fprintf(stderr, "unable to find executable '%s' in PATH\n", arg0);
++    exit(1);
++}
++
+ int main(int argc, char *argv[], char *envp[])
+ {
+     pid_t child;
+@@ -799,10 +842,14 @@ int main(int argc, char *argv[], char *envp[])
+ 	} else if (!strcmp("--print", argv[i])) {
+ 	    arg_print();
+ 	} else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) {
+-	    argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]);
++           if (argv[i][0] == '=') {
++               argv[i] = find_self(argv[0]);
++           } else {
++               argv[i] = strdup("/bin/bash");
++           }
+ 	    argv[argc] = NULL;
+ 	    execve(argv[i], argv+i, envp);
+-	    fprintf(stderr, "execve /bin/bash failed!\n");
++	    fprintf(stderr, "execve '%s' failed!\n", argv[i]);
+ 	    exit(1);
+ 	} else if (!strncmp("--has-p=", argv[i], 8)) {
+ 	    cap_value_t cap;
+diff --git a/progs/quicktest.sh b/progs/quicktest.sh
+index 96f9929..8ecaccf 100755
+--- a/progs/quicktest.sh
++++ b/progs/quicktest.sh
+@@ -44,6 +44,13 @@ pass_capsh () {
+ 
+ pass_capsh --print
+ 
++# Validate that PATH expansion works
++PATH=$(/bin/pwd)/junk:$(/bin/pwd) capsh == == == --modes
++if [ $? -ne 0 ]; then
++    echo "Failed to execute capsh consecutively for capability manipulation"
++    exit 1
++fi
++
+ # Make a local non-setuid-0 version of capsh and call it privileged
+ cp ./capsh ./privileged && /bin/chmod -s ./privileged
+ if [ $? -ne 0 ]; then
+-- 
+2.27.0
+

backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch

@@ -0,0 +1,57 @@
+From e362c60eb89c923acda7efd4a23ca6d4df1cf965 Mon Sep 17 00:00:00 2001
+From: yunjia_w <yunjia.wang@huawei.com>
+Date: Wed, 31 May 2023 11:34:54 +0800
+Subject: [PATCH] Large strings can confuse libcap's internal strdup
+code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Signed-off-by: wangyunjia <yunjia.wang@huawei.com>
+
+---
+ libcap/cap_alloc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
+index 57991a5..0849808 100644
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -76,13 +76,20 @@ cap_t cap_init(void)
+ char *_libcap_strdup(const char *old)
+ {
+     __u32 *raw_data;
++    size_t len;
+ 
+     if (old == NULL) {
+ 	errno = EINVAL;
+ 	return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
++       _cap_debug("len is too long for libcap to manage");
++       errno = EINVAL;
++       return NULL;
++    }
++    raw_data = malloc( sizeof(__u32) + len + 1 );
+     if (raw_data == NULL) {
+ 	errno = ENOMEM;
+ 	return NULL;
+-- 
+2.27.0
+

backport-capsh-better-error-handling-for-integer-parsing.patch

@@ -0,0 +1,141 @@
+From 9c4997d6592e5daf046a6968ac83cf615c51fbe1 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Sat, 6 Nov 2021 08:45:06 -0700
+Subject: [PATCH] capsh: better error handling for integer parsing.
+
+Bug reported by meitingli:
+
+   https://bugzilla.kernel.org/show_bug.cgi?id=214911
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ progs/capsh.c | 49 ++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/progs/capsh.c b/progs/capsh.c
+index 2295359..4f568c3 100644
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -40,6 +40,35 @@
+ 
+ #define MAX_GROUPS       100   /* max number of supplementary groups for user */
+ 
++/* parse a non-negative integer with some error handling */
++static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok)
++{
++    char *remains;
++    unsigned long value;
++    ssize_t len = strlen(text);
++
++    if (len == 0 || *text == '-') {
++	goto fail;
++    }
++    value = strtoul(text, &remains, 0);
++    if (*remains) {
++	goto fail;
++    }
++    if (ok != NULL) {
++	*ok = 1;
++    }
++    return value;
++
++fail:
++    if (ok == NULL) {
++	fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n",
++		prefix, text);
++	exit(1);
++    }
++    *ok = 0;
++    return 0;
++}
++
+ static char *binary(unsigned long value)
+ {
+     static char string[8*sizeof(unsigned long) + 1];
+@@ -667,7 +696,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	    unsigned value;
+ 	    int set;
+ 
+-	    value = strtoul(argv[i]+7, NULL, 0);
++	    value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL);
+ 	    set = prctl(PR_SET_KEEPCAPS, value);
+ 	    if (set < 0) {
+ 		fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
+@@ -724,7 +753,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	} else if (!strncmp("--secbits=", argv[i], 10)) {
+ 	    unsigned value;
+ 	    int status;
+-	    value = strtoul(argv[i]+10, NULL, 0);
++	    value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL);
+ 	    status = cap_set_secbits(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
+@@ -737,8 +766,9 @@ int main(int argc, char *argv[], char *envp[])
+ 		fprintf(stderr, "already forked\n");
+ 		exit(1);
+ 	    }
+-	    value = strtoul(argv[i]+10, NULL, 0);
++	    value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL);
+ 	    if (value == 0) {
++		fprintf(stderr, "require non-zero --forkfor value\n");
+ 		goto usage;
+ 	    }
+ 	    child = fork();
+@@ -753,7 +783,8 @@ int main(int argc, char *argv[], char *envp[])
+ 	    pid_t result;
+ 	    unsigned value;
+ 
+-	    value = strtoul(argv[i]+9, NULL, 0);
++	    value = nonneg_uint(argv[i]+9, "invalid --killit signo value",
++				NULL);
+ 	    if (!child) {
+ 		fprintf(stderr, "no forked process to kill\n");
+ 		exit(1);
+@@ -779,7 +810,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+6, NULL, 0);
++	    value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL);
+ 	    status = setuid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to set uid=%u: %s\n",
+@@ -790,7 +821,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+10, NULL, 0);
++	    value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL);
+ 	    status = cap_setuid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to cap_setuid(%u): %s\n",
+@@ -801,7 +832,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+6, NULL, 0);
++	    value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL);
+ 	    status = setgid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to set gid=%u: %s\n",
+@@ -1009,7 +1040,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	} else if (!strncmp("--is-uid=", argv[i], 9)) {
+ 	    unsigned value;
+ 	    uid_t uid;
+-	    value = strtoul(argv[i]+9, NULL, 0);
++	    value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL);
+ 	    uid = getuid();
+ 	    if (uid != value) {
+ 		fprintf(stderr, "uid: got=%d, want=%d\n", uid, value);
+@@ -1018,7 +1049,7 @@ int main(int argc, char *argv[], char *envp[])
+ 	} else if (!strncmp("--is-gid=", argv[i], 9)) {
+ 	    unsigned value;
+ 	    gid_t gid;
+-	    value = strtoul(argv[i]+9, NULL, 0);
++	    value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL);
+ 	    gid = getgid();
+ 	    if (gid != value) {
+ 		fprintf(stderr, "gid: got=%d, want=%d\n", gid, value);
+-- 
+1.8.3.1
+

backport-getpcaps-catch-PID-parsing-errors.patch

@@ -0,0 +1,54 @@
+From fc804acc078ef03e2c5b3a233f118a537f260ccd Mon Sep 17 00:00:00 2001
+From: Jakub Wilk <jwilk@jwilk.net>
+Date: Thu, 1 Sep 2022 22:23:19 +0200
+Subject: [PATCH] getpcaps: catch PID parsing errors.
+
+Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+conflict:context adaptation
+---
+ progs/getpcaps.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/progs/getpcaps.c b/progs/getpcaps.c
+index 8fce0a3..1e914b2 100644
+--- a/progs/getpcaps.c
++++ b/progs/getpcaps.c
+@@ -39,7 +39,9 @@ int main(int argc, char **argv)
+ 
+     for ( ++argv; --argc > 0; ++argv ) {
+ 	ssize_t length;
++	long lpid;
+ 	int pid;
++	char *endarg;
+ 	cap_t cap_d;
+ 
+ 	if (!strcmp(argv[0], "--help") || !strcmp(argv[0], "--usage")) {
+@@ -62,7 +64,22 @@ int main(int argc, char **argv)
+ 	    continue;
+ 	}
+ 
+-	pid = atoi(argv[0]);
++	errno = 0;
++	lpid = strtol(argv[0], &endarg, 10);
++	if (*endarg != '\0') {
++	    errno = EINVAL;
++	}
++	if (errno == 0) {
++	    if (lpid < 0 || pid != (pid_t) pid)
++		errno = EOVERFLOW;
++	}
++	if (errno != 0) {
++	    fprintf(stderr, "Cannot parse pid %s (%s)\n",
++		    argv[0], strerror(errno));
++	    retval = 1;
++	    continue;
++	}
++	pid = lpid;
+ 
+ 	cap_d = cap_get_pid(pid);
+ 	if (cap_d == NULL) {
+-- 
+2.27.0
+

backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch

@@ -0,0 +1,38 @@
+From 41997af6891658ab511c014e20f7846945c11742 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 9 Aug 2021 17:32:20 +0800
+Subject: [PATCH] [Backport] libcap: Ensure the XATTR_NAME_CAPS is defined when
+ it is used
+ 
+VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
+libcap-native in old release, like CentOS release 6.7 (Final), with the blow
+error:
+     cap_file.c: In function ‘cap_get_fd’:
+     cap_file.c:199: error: ‘XATTR_NAME_CAPS’ undeclared (first use in this function)
+     cap_file.c:199: error: (Each undeclared identifier is reported only once
+Reference: http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch
+ 
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: lichi <lichi7@huawei.com>
+Signed-off-by: luchangkun <luchangkun@h-partners.com>
+Signed-off-by: huangyaojun <huangyaojun@huawei.com>
+---
+ libcap/cap_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libcap/cap_file.c b/libcap/cap_file.c
+index 4178705..1e6a28e 100644
+--- a/libcap/cap_file.c
++++ b/libcap/cap_file.c
+@@ -45,7 +45,7 @@ extern int fremovexattr(int, const char *);
+ 
+ #include "libcap.h"
+ 
+-#ifdef VFS_CAP_U32
++#if defined (VFS_CAP_U32) && defined (XATTR_NAME_CAPS)
+ 
+ #if VFS_CAP_U32 != __CAP_BLKS
+ # error VFS representation of capabilities is not the same size as kernel
+-- 
+2.27.0
+ 

backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch

@@ -0,0 +1,70 @@
+From 8e1e967bc8d99a3233d51f67f6b88620cdff78dc Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Sat, 6 Nov 2021 08:02:20 -0700
+Subject: [PATCH] setcap: clean up error handling of the ns rootid argument.
+
+Bug reported by Artem S. Tashkinov:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=214909
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ progs/setcap.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/progs/setcap.c b/progs/setcap.c
+index 442685d..fe985cd 100644
+--- a/progs/setcap.c
++++ b/progs/setcap.c
+@@ -22,6 +22,35 @@ static void usage(void)
+     exit(1);
+ }
+ 
++/* parse a positive integer with some error handling */
++static unsigned long pos_uint(const char *text, const char *prefix, int *ok)
++{
++    char *remains;
++    unsigned long value;
++    ssize_t len = strlen(text);
++
++    if (len == 0 || *text == '-') {
++       goto fail;
++    }
++    value = strtoul(text, &remains, 0);
++    if (*remains || value == 0) {
++       goto fail;
++    }
++    if (ok != NULL) {
++       *ok = 1;
++    }
++    return value;
++
++fail:
++    if (ok == NULL) {
++       fprintf(stderr, "%s: want positive integer, got \"%s\"\n",
++               prefix, text);
++       exit(1);
++    }
++    *ok = 0;
++    return 0;
++}
++
+ #define MAXCAP  2048
+ 
+ static int read_caps(int quiet, const char *filename, char *buffer)
+@@ -93,11 +122,7 @@ int main(int argc, char **argv)
+ 		exit(1);
+ 	    }
+ 	    --argc;
+-	    rootid = (uid_t) atoi(*++argv);
+-	    if (rootid+1 < 2) {
+-		fprintf(stderr, "invalid rootid!=0 of '%s'", *argv);
+-		exit(1);
+-	    }
++           rootid = (uid_t) pos_uint(*++argv, "bad ns rootid", NULL);
+ 	    continue;
+ 	}
+ 
+-- 
+1.8.3.1
+

libcap.spec

@@ -1,6 +1,6 @@
 Name:     libcap
 Version:  2.32
-Release:  2
+Release:  7
 Summary:  A library for getting and setting POSIX.1e draft 15 capabilities        
 License:  GPLv2
 URL:      https://sites.google.com/site/fullycapable
@@ -8,6 +8,13 @@ Source0:  https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{n
 
 Patch0:   libcap-buildflags.patch
 Patch1:   backport-Avoid-segfaulting-when-the-kernel-is-ahead-of-libcap.patch
+Patch2:   backport-capsh-better-error-handling-for-integer-parsing.patch
+Patch3:   backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch
+Patch4:   backport-If-needed-search-PATH-for-capsh-self-execution.patch
+Patch5:   backport-Guarantee-sufficient-memory-for-scratch-pathname.patch
+Patch6:   backport-getpcaps-catch-PID-parsing-errors.patch
+Patch7:   backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
+Patch8:   backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
 
 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 
@@ -68,6 +75,30 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %{_mandir}/man8/*.gz
 
 %changelog
+* Mon Jul 3 2023 wangyunjia <yunjia.wang@huawei.com> - 2.32-7
+- VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
+
+* Wed May 31 2023 wangyunjia <yunjia.wang@huawei.com> - 2.32-6
+- fix CVE-2023-2603
+
+* Thu Feb 16 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 2.32-5
+- backport patch
+  backport getpcaps catch PID parsing errors
+
+* Sat Jan 22 2022 yixiangzhike <yixiangzhike007@163.com> - 2.32-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: If needed search PATH for capsh (==) self-execution
+        Guarantee sufficient memory for scratch pathname
+
+* Mon Nov 8 2021 yixiangzhike <yixiangzhike007@163.com> - 2.32-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: capsh better error handling for integer parsing
+        setcap clean up error handling of the ns rootid argument
+
 * Wed Aug 11 2021 panxiaohe<panxiaohe@huawei.com> - 2.32-2
 - Type:bugfix
 - ID:NA