fix CVE-2025-1390
This commit is contained in:
Linux_zhang
parent
916add6d35
commit
9520852069
@ -0,0 +1,32 @@
|
||||
From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
|
||||
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
|
||||
Date: Mon, 17 Feb 2025 10:31:55 +0800
|
||||
Subject: [PATCH] pam_cap: Fix potential configuration parsing error
|
||||
|
||||
The current configuration parsing does not actually skip user names
|
||||
that do not start with @, but instead treats the name as a group
|
||||
name for further parsing, which can result in matching unexpected
|
||||
capability sets and may trigger potential security issues. Only
|
||||
names starting with @ should be parsed as group names.
|
||||
|
||||
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
|
||||
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
||||
---
|
||||
pam_cap/pam_cap.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
|
||||
index 24de329..3ec99bb 100644
|
||||
--- a/pam_cap/pam_cap.c
|
||||
+++ b/pam_cap/pam_cap.c
|
||||
@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
|
||||
|
||||
if (line[0] != '@') {
|
||||
D(("user [%s] is not [%s] - skipping", user, line));
|
||||
+ continue;
|
||||
}
|
||||
|
||||
int i;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libcap
|
||||
Version: 2.32
|
||||
Release: 7
|
||||
Release: 8
|
||||
Summary: A library for getting and setting POSIX.1e draft 15 capabilities
|
||||
License: GPLv2
|
||||
URL: https://sites.google.com/site/fullycapable
|
||||
@ -15,6 +15,7 @@ Patch5: backport-Guarantee-sufficient-memory-for-scratch-pathname.patch
|
||||
Patch6: backport-getpcaps-catch-PID-parsing-errors.patch
|
||||
Patch7: backport-Large-strings-can-confuse-libcap-s-internal-strdup-c.patch
|
||||
Patch8: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
|
||||
Patch9: backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch
|
||||
|
||||
BuildRequires: libattr-devel pam-devel perl-interpreter gcc
|
||||
|
||||
@ -75,6 +76,9 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
%{_mandir}/man8/*.gz
|
||||
|
||||
%changelog
|
||||
* Tue Mar 04 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.32-8
|
||||
- fix CVE-2025-1390
|
||||
|
||||
* Mon Jul 3 2023 wangyunjia <yunjia.wang@huawei.com> - 2.32-7
|
||||
- VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user