From 84f1bf35b184546d308fdc499bb39ff3586feaab Mon Sep 17 00:00:00 2001
From: eabdullin <eabdullin@almalinux.org>
Date: Tue, 8 Aug 2023 12:31:55 +0000
Subject: [PATCH] import UBI libcap-2.48-5.el8_8

---
 SOURCES/libcap-cve-2023-2602.patch | 36 ++++++++++++++++++++++++++++++
 SOURCES/libcap-cve-2023-2603.patch | 18 +++++++++++++++
 SPECS/libcap.spec                  | 10 ++++++++-
 3 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/libcap-cve-2023-2602.patch
 create mode 100644 SOURCES/libcap-cve-2023-2603.patch

diff --git a/SOURCES/libcap-cve-2023-2602.patch b/SOURCES/libcap-cve-2023-2602.patch
new file mode 100644
index 0000000..be940cb
--- /dev/null
+++ b/SOURCES/libcap-cve-2023-2602.patch
@@ -0,0 +1,36 @@
+commit bc6b36682f188020ee4770fae1d41bde5b2c97bb
+Author: Andrew G. Morgan <morgan@kernel.org>
+Date:   Wed May 3 19:18:36 2023 -0700
+
+    Correct the check of pthread_create()'s return value.
+    
+    This function returns a positive number (errno) on error, so the code
+    wasn't previously freeing some memory in this situation.
+    
+    Discussion:
+    
+      https://stackoverflow.com/a/3581020/14760867
+    
+    Credit for finding this bug in libpsx goes to David Gstir of
+    X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+    audit of the libcap source code in April of 2023. The audit
+    was sponsored by the Open Source Technology Improvement Fund
+    (https://ostif.org/).
+    
+    Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+    
+    Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+diff --git a/psx/psx.c b/psx/psx.c
+index d9c0485..65eb2aa 100644
+--- a/psx/psx.c
++++ b/psx/psx.c
+@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
+     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
+ 
+     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
+-    if (ret == -1) {
++    if (ret > 0) {
+ 	psx_new_state(_PSX_CREATE, _PSX_IDLE);
+ 	memset(starter, 0, sizeof(*starter));
+ 	free(starter);
diff --git a/SOURCES/libcap-cve-2023-2603.patch b/SOURCES/libcap-cve-2023-2603.patch
new file mode 100644
index 0000000..1020f84
--- /dev/null
+++ b/SOURCES/libcap-cve-2023-2603.patch
@@ -0,0 +1,18 @@
+--- a/libcap/cap_alloc.c	2023-06-26 18:42:42.295817583 +0200
++++ b/libcap/cap_alloc.c	2023-06-26 18:40:32.485375859 +0200
+@@ -82,7 +82,14 @@
+ 	return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
++    size_t len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
++	_cap_debug("len is too long for libcap to manage");
++	errno = EINVAL;
++	return NULL;
++    }
++    len += 1 + sizeof(__u32);
++    raw_data = calloc(1, len);
+     if (raw_data == NULL) {
+ 	errno = ENOMEM;
+ 	return NULL;
diff --git a/SPECS/libcap.spec b/SPECS/libcap.spec
index ec6587d..e2711b5 100644
--- a/SPECS/libcap.spec
+++ b/SPECS/libcap.spec
@@ -1,6 +1,6 @@
 Name: libcap
 Version: 2.48
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
 URL: https://sites.google.com/site/fullycapable/
 License: BSD or GPLv2
@@ -13,6 +13,8 @@ Patch2: %{name}-static-analysis.patch
 Patch3: %{name}-fix-ambient-caps.patch
 Patch4: %{name}-fix-prctl-usage.patch
 Patch5: %{name}-check-allocation.patch
+Patch6: %{name}-cve-2023-2603.patch
+Patch7: %{name}-cve-2023-2602.patch
 
 BuildRequires: libattr-devel pam-devel perl-interpreter
 BuildRequires: make
@@ -91,6 +93,12 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %{_libdir}/pkgconfig/libpsx.pc
 
 %changelog
+* Mon Jun 26 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-5
+- Fix integer overflow in _libcap_strdup() (CVE-2023-2603)
+  Resolves: rhbz#2210636
+- Correctly check pthread_create() return value to avoid memory leak (CVE-2023-2602)
+  Resolves: rhbz#2222197
+
 * Tue May 17 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-4
 - check for successful memory allocation
   related: rhbz#2062648