import CS libcap-2.48-10.el9

2025-09-15 12:13:47 +00:00 · 2025-09-15 12:13:47 +00:00 · 0683e26f96
commit 0683e26f96
parent 5825377672
4 changed files with 115 additions and 1 deletions
--- a/SOURCES/libcap-cve-2023-2602.patch
+++ b/SOURCES/libcap-cve-2023-2602.patch
@ -0,0 +1,36 @@
+commit bc6b36682f188020ee4770fae1d41bde5b2c97bb
+Author: Andrew G. Morgan <morgan@kernel.org>
+Date:   Wed May 3 19:18:36 2023 -0700
+
+    Correct the check of pthread_create()'s return value.
+    
+    This function returns a positive number (errno) on error, so the code
+    wasn't previously freeing some memory in this situation.
+    
+    Discussion:
+    
+      https://stackoverflow.com/a/3581020/14760867
+    
+    Credit for finding this bug in libpsx goes to David Gstir of
+    X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+    audit of the libcap source code in April of 2023. The audit
+    was sponsored by the Open Source Technology Improvement Fund
+    (https://ostif.org/).
+    
+    Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+    
+    Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
+++ b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
+     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
+ 
+     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-    if (ret == -1) {
+    if (ret > 0) {
+ 	psx_new_state(_PSX_CREATE, _PSX_IDLE);
+ 	memset(starter, 0, sizeof(*starter));
+ 	free(starter);
--- a/SOURCES/libcap-cve-2023-2603.patch
+++ b/SOURCES/libcap-cve-2023-2603.patch
@ -0,0 +1,18 @@
+--- a/libcap/cap_alloc.c	2023-06-26 18:42:42.295817583 +0200
+++ b/libcap/cap_alloc.c	2023-06-26 18:40:32.485375859 +0200
+@@ -82,7 +82,14 @@
+ 	return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+    size_t len = strlen(old);
+    if ((len & 0x3fffffff) != len) {
+	_cap_debug("len is too long for libcap to manage");
+	errno = EINVAL;
+	return NULL;
+    }
+    len += 1 + sizeof(__u32);
+    raw_data = calloc(1, len);
+     if (raw_data == NULL) {
+ 	errno = ENOMEM;
+ 	return NULL;
--- a/SOURCES/libcap-fix-typo-cap-from-text.patch
+++ b/SOURCES/libcap-fix-typo-cap-from-text.patch
@ -0,0 +1,47 @@
+From 60ff008d95584cc18701e98ed3cc4fa3d6cef9cb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Thu, 22 Sep 2022 06:54:37 -0700
+Subject: Fix typos in the cap_from_text.3 man page.
+
+This addresses this bug reported by Paulo Andrade (thanks!):
+
+  https://bugzilla.kernel.org/show_bug.cgi?id=216514
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ doc/cap_from_text.3 | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/doc/cap_from_text.3 b/doc/cap_from_text.3
+index 9370e26..a0c9282 100644
+--- a/doc/cap_from_text.3
+++ b/doc/cap_from_text.3
+@@ -10,7 +10,7 @@ state textual representation translation
+ #include <sys/capability.h>
+ 
+ cap_t cap_from_text(const char* buf_p );
+-char *cap_to_text(cap_t caps, ssize_t * length_p);
+char *cap_to_text(cap_t caps, ssize_t * len_p);
+ int cap_from_name(const char* name , cap_value_t* cap_p);
+ char *cap_to_name(cap_value_t cap);
+ .fi
+@@ -46,7 +46,7 @@ is both set and cleared within a single clause.
+ .PP
+ .BR cap_to_text ()
+ converts the capability state in working storage identified by
+-.I cap_p
+.I caps
+ into a nul-terminated human-readable string.  This function allocates
+ any memory necessary to contain the string, and returns a pointer to
+ the string.  If the pointer
+@@ -56,7 +56,7 @@ the function shall also return the full length of the string (not including
+ the nul terminator) in the location pointed to by
+ .IR len_p .
+ The capability state in working storage, identified by
+-.IR cap_p ,
+.IR caps ,
+ is completely represented in the character string.
+ When the capability state in working storage is no longer required,
+ the caller should free any releasable memory by calling
+-- 
+cgit 1.2.3-korg
--- a/SPECS/libcap.spec
+++ b/SPECS/libcap.spec
@ -1,6 +1,6 @@
 Name: libcap
 Version: 2.48
-Release: 8%{?dist}
+Release: 10%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
 URL: https://sites.google.com/site/fullycapable/
 License: BSD or GPLv2
@ -12,6 +12,9 @@ Patch2: libcap-static-analysis-fix-2.patch
 Patch3: libcap-static-analysis-fix-3.patch
 Patch4: libcap-disable-golang.patch
 Patch5: libcap-fix-ambient-caps.patch
+Patch6: libcap-cve-2023-2603.patch
+Patch7: libcap-cve-2023-2602.patch
+Patch8: libcap-fix-typo-cap-from-text.patch

 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 BuildRequires: make
@ -88,6 +91,16 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*


 %changelog
+* Thu Jul 03 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-10
+- Fix typos in the cap_from_text.3 man page
+  Resolves: RHEL-1838
+
+* Wed Jul 12 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-9
+- Fix integer overflow in _libcap_strdup() (CVE-2023-2603)
+  Resolves: rhbz#2210638
+- Correctly check pthread_create() return value to avoid memory leak (CVE-2023-2602)
+  Resolves: rhbz#2222198
+
 * Fri Jan 28 2022 Zoltan Fridrich <zfridric@redhat.com> - 2.48-8
 - Fix ambient capabilities for non-root users
  Related: rhbz#2037215