1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-support/libcap/files/CVE-2025-1390.patch b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
new file mode 100644
index 0000000000..a0f7dda503
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
@@ -0,0 +1,36 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878]
+CVE: CVE-2025-1390
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index b9419cb..18647a1 100644
+--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+            if (line[0] != '@') {
+                D(("user [%s] is not [%s] - skipping", user, line));
+               continue;
+            }
+ 
+            int i;
+-- 
+2.25.1

diff --git a/meta/recipes-support/libcap/files/CVE-2025-1390.patch b/meta/recipes-support/libcap/files/CVE-2025-1390.patch new file mode 100644 index 0000000000..a0f7dda503 --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
@@ -0,0 +1,36 @@
	1	From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
	2	From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
	3	Date: Mon, 17 Feb 2025 10:31:55 +0800
	4	Subject: pam_cap: Fix potential configuration parsing error
	5
	6	The current configuration parsing does not actually skip user names
	7	that do not start with @, but instead treats the name as a group
	8	name for further parsing, which can result in matching unexpected
	9	capability sets and may trigger potential security issues. Only
	10	names starting with @ should be parsed as group names.
	11
	12	Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
	13	Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
	14
	15	Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878]
	16	CVE: CVE-2025-1390
	17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	18	---
	19	pam_cap/pam_cap.c \| 1 +
	20	1 file changed, 1 insertion(+)
	21
	22	diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
	23	index b9419cb..18647a1 100644
	24	--- a/pam_cap/pam_cap.c
	25	+++ b/pam_cap/pam_cap.c
	26	@@ -166,6 +166,7 @@ static char read_capabilities_for_user(const char user, const char *source)
	27
	28	if (line[0] != '@') {
	29	D(("user [%s] is not [%s] - skipping", user, line));
	30	+ continue;
	31	}
	32
	33	int i;
	34	--
	35	2.25.1
	36