libcap: backport Debian patches to fix CVE-2023-2602 and CVE-2023-2603

import patches from ubuntu to fix CVE-2023-2602 CVE-2023-2603 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb & https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18] (From OE-Core rev: d0718a43a00223aa074f14e769214ba11d4f8ef2) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-06-28 12:58:12 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-07-04 05:37:07 -1000
commit: 725643695784353c7465173d08d3774c1c1b38ed (patch)
tree: 274746808c7726077d99a8a2ff7e1cbd14b7dcad
parent: f25b3632334c6ee4920e1dfd4634111344672b3f (diff)
download: poky-725643695784353c7465173d08d3774c1c1b38ed.tar.gz
3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
new file mode 100644
index 0000000000..ca04d7297a
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
@@ -0,0 +1,52 @@
+Backport of:
+From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+Discussion:
+  https://stackoverflow.com/a/3581020/14760867
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb]
+CVE: CVE-2023-2602
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- a/libcap/psx.c
+++ b/libcap/psx.c
+@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread
+ 
+     psx_wait_for_idle();
+     int ret = pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
+    if (ret == 0) {
+        psx_do_registration(*thread);
+     }
+     psx_resume_idle();
+@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr
+                          void *(*start_routine) (void *), void *arg) {
+     psx_wait_for_idle();
+     int ret = __real_pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
+    if (ret == 0) {
+        psx_do_registration(*thread);
+     }
+     psx_resume_idle();
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
new file mode 100644
index 0000000000..cf86ac2a46
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
+Backport of:
+From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
+CVE: CVE-2023-2603
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+--- a/libcap/cap_alloc.c
+++ b/libcap/cap_alloc.c
+@@ -76,13 +76,22 @@ cap_t cap_init(void)
+ char *_libcap_strdup(const char *old)
+ {
+     __u32 *raw_data;
+    size_t len;
+ 
+     if (old == NULL) {
+        errno = EINVAL;
+        return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+    len = strlen(old);
+    if ((len & 0x3fffffff) != len) {
+       _cap_debug("len is too long for libcap to manage");
+       errno = EINVAL;
+       return NULL;
+    }
+    len += sizeof(__u32) + 1;
+
+    raw_data = malloc(len);
+     if (raw_data == NULL) {
+        errno = ENOMEM;
+        return NULL;
diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb
index d67babb5e9..64d5190aa7 100644
--- a/meta/recipes-support/libcap/libcap_2.32.bb
+++ b/meta/recipes-support/libcap/libcap_2.32.bb
@@ -13,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
           file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
           file://0002-tests-do-not-run-target-executables.patch \
           file://0001-tests-do-not-statically-link-a-test.patch \
+           file://CVE-2023-2602.patch \
+           file://CVE-2023-2603.patch \
           "
 SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"
 SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-06-28 12:58:12 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-07-04 05:37:07 -1000
commit	725643695784353c7465173d08d3774c1c1b38ed (patch)
tree	274746808c7726077d99a8a2ff7e1cbd14b7dcad
parent	f25b3632334c6ee4920e1dfd4634111344672b3f (diff)
download	poky-725643695784353c7465173d08d3774c1c1b38ed.tar.gz

diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch new file mode 100644 index 0000000000..ca04d7297a --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
@@ -0,0 +1,52 @@
		1	Backport of:
		2
		3	From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
		4	From: "Andrew G. Morgan" <morgan@kernel.org>
		5	Date: Wed, 3 May 2023 19:18:36 -0700
		6	Subject: Correct the check of pthread_create()'s return value.
		7
		8	This function returns a positive number (errno) on error, so the code
		9	wasn't previously freeing some memory in this situation.
		10
		11	Discussion:
		12
		13	https://stackoverflow.com/a/3581020/14760867
		14
		15	Credit for finding this bug in libpsx goes to David Gstir of
		16	X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
		17	audit of the libcap source code in April of 2023. The audit
		18	was sponsored by the Open Source Technology Improvement Fund
		19	(https://ostif.org/).
		20
		21	Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
		22
		23	Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
		24
		25	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security
		26	Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb]
		27	CVE: CVE-2023-2602
		28	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		29	---
		30	psx/psx.c \| 2 +-
		31	1 file changed, 1 insertion(+), 1 deletion(-)
		32
		33	--- a/libcap/psx.c
		34	+++ b/libcap/psx.c
		35	@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread
		36
		37	psx_wait_for_idle();
		38	int ret = pthread_create(thread, attr, start_routine, arg);
		39	- if (ret != -1) {
		40	+ if (ret == 0) {
		41	psx_do_registration(*thread);
		42	}
		43	psx_resume_idle();
		44	@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr
		45	void (start_routine) (void ), void arg) {
		46	psx_wait_for_idle();
		47	int ret = __real_pthread_create(thread, attr, start_routine, arg);
		48	- if (ret != -1) {
		49	+ if (ret == 0) {
		50	psx_do_registration(*thread);
		51	}
		52	psx_resume_idle();


diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch new file mode 100644 index 0000000000..cf86ac2a46 --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
		1	Backport of:
		2
		3	From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
		4	From: "Andrew G. Morgan" <morgan@kernel.org>
		5	Date: Wed, 3 May 2023 19:44:22 -0700
		6	Subject: Large strings can confuse libcap's internal strdup code.
		7
		8	Avoid something subtle with really long strings: 1073741823 should
		9	be enough for anybody. This is an improved fix over something attempted
		10	in libcap-2.55 to address some static analysis findings.
		11
		12	Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
		13	are the only two calls where the library is potentially exposed to a
		14	user controlled string input.
		15
		16	Credit for finding this bug in libcap goes to Richard Weinberger of
		17	X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
		18	of the libcap source code in April of 2023. The audit was sponsored
		19	by the Open Source Technology Improvement Fund (https://ostif.org/).
		20
		21	Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
		22
		23	Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
		24
		25	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
		26	Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
		27	CVE: CVE-2023-2603
		28	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		29	---
		30	libcap/cap_alloc.c \| 12 +++++++-----
		31	1 file changed, 7 insertions(+), 5 deletions(-)
		32
		33	--- a/libcap/cap_alloc.c
		34	+++ b/libcap/cap_alloc.c
		35	@@ -76,13 +76,22 @@ cap_t cap_init(void)
		36	char _libcap_strdup(const char old)
		37	{
		38	__u32 *raw_data;
		39	+ size_t len;
		40
		41	if (old == NULL) {
		42	errno = EINVAL;
		43	return NULL;
		44	}
		45
		46	- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
		47	+ len = strlen(old);
		48	+ if ((len & 0x3fffffff) != len) {
		49	+ _cap_debug("len is too long for libcap to manage");
		50	+ errno = EINVAL;
		51	+ return NULL;
		52	+ }
		53	+ len += sizeof(__u32) + 1;
		54	+
		55	+ raw_data = malloc(len);
		56	if (raw_data == NULL) {
		57	errno = ENOMEM;
		58	return NULL;


diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb index d67babb5e9..64d5190aa7 100644 --- a/meta/recipes-support/libcap/libcap_2.32.bb +++ b/meta/recipes-support/libcap/libcap_2.32.bb
@@ -13,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
13	file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \	13	file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
14	file://0002-tests-do-not-run-target-executables.patch \	14	file://0002-tests-do-not-run-target-executables.patch \
15	file://0001-tests-do-not-statically-link-a-test.patch \	15	file://0001-tests-do-not-statically-link-a-test.patch \
		16	file://CVE-2023-2602.patch \
		17	file://CVE-2023-2603.patch \
16	"	18	"
17	SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"	19	SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"
18	SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"	20	SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"