1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
new file mode 100644
index 0000000000..cf86ac2a46
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
+Backport of:
+From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
+CVE: CVE-2023-2603
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+--- a/libcap/cap_alloc.c
+++ b/libcap/cap_alloc.c
+@@ -76,13 +76,22 @@ cap_t cap_init(void)
+ char *_libcap_strdup(const char *old)
+ {
+     __u32 *raw_data;
+    size_t len;
+ 
+     if (old == NULL) {
+        errno = EINVAL;
+        return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+    len = strlen(old);
+    if ((len & 0x3fffffff) != len) {
+       _cap_debug("len is too long for libcap to manage");
+       errno = EINVAL;
+       return NULL;
+    }
+    len += sizeof(__u32) + 1;
+
+    raw_data = malloc(len);
+     if (raw_data == NULL) {
+        errno = ENOMEM;
+        return NULL;

diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch new file mode 100644 index 0000000000..cf86ac2a46 --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
	1	Backport of:
	2
	3	From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
	4	From: "Andrew G. Morgan" <morgan@kernel.org>
	5	Date: Wed, 3 May 2023 19:44:22 -0700
	6	Subject: Large strings can confuse libcap's internal strdup code.
	7
	8	Avoid something subtle with really long strings: 1073741823 should
	9	be enough for anybody. This is an improved fix over something attempted
	10	in libcap-2.55 to address some static analysis findings.
	11
	12	Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
	13	are the only two calls where the library is potentially exposed to a
	14	user controlled string input.
	15
	16	Credit for finding this bug in libcap goes to Richard Weinberger of
	17	X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
	18	of the libcap source code in April of 2023. The audit was sponsored
	19	by the Open Source Technology Improvement Fund (https://ostif.org/).
	20
	21	Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
	22
	23	Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
	24
	25	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
	26	Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
	27	CVE: CVE-2023-2603
	28	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	29	---
	30	libcap/cap_alloc.c \| 12 +++++++-----
	31	1 file changed, 7 insertions(+), 5 deletions(-)
	32
	33	--- a/libcap/cap_alloc.c
	34	+++ b/libcap/cap_alloc.c
	35	@@ -76,13 +76,22 @@ cap_t cap_init(void)
	36	char _libcap_strdup(const char old)
	37	{
	38	__u32 *raw_data;
	39	+ size_t len;
	40
	41	if (old == NULL) {
	42	errno = EINVAL;
	43	return NULL;
	44	}
	45
	46	- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
	47	+ len = strlen(old);
	48	+ if ((len & 0x3fffffff) != len) {
	49	+ _cap_debug("len is too long for libcap to manage");
	50	+ errno = EINVAL;
	51	+ return NULL;
	52	+ }
	53	+ len += sizeof(__u32) + 1;
	54	+
	55	+ raw_data = malloc(len);
	56	if (raw_data == NULL) {
	57	errno = ENOMEM;
	58	return NULL;