On Mon, Jun 26, 2023 at 3:40 AM vkumbhar wrote:
>
> Signed-off-by: Vivek Kumbhar
> ---
> .../libcap/files/CVE-2023-2603.patch | 60 +++
> meta/recipes-support/libcap/libcap_2.66.bb| 1 +
> 2 files changed, 61 insertions(+)
> create mode 100644 meta/recipes-support/libcap/files/CVE-2023-2603.patch
>
> diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch
> b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
> new file mode 100644
> index 00..e09be78640
> --- /dev/null
> +++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
> @@ -0,0 +1,60 @@
> +From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
> +From: "Andrew G. Morgan"
> +Date: Wed, 3 May 2023 19:44:22 -0700
> +Subject: Large strings can confuse libcap's internal strdup code.
> +
> +Avoid something subtle with really long strings: 1073741823 should
> +be enough for anybody. This is an improved fix over something attempted
> +in libcap-2.55 to address some static analysis findings.
> +
> +Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
> +are the only two calls where the library is potentially exposed to a
> +user controlled string input.
> +
> +Credit for finding this bug in libcap goes to Richard Weinberger of
> +X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
> +of the libcap source code in April of 2023. The audit was sponsored
> +by the Open Source Technology Improvement Fund (https://ostif.org/).
> +
> +Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
> +
> +Signed-off-by: Andrew G. Morgan
> +
> +Upstream-Status: Backport
> [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
> +CVE: CVE-2023-2603
> +Signed-off-by: Vivek Kumbhar
> +
> +---
> + libcap/cap_alloc.c | 12 +++-
> + 1 file changed, 7 insertions(+), 5 deletions(-)
> +
> +diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c
> +index c826e7a..25f9981 100644
> +--- a/libcap/cap_alloc.c
> b/libcap/cap_alloc.c
> +@@ -105,15 +105,17 @@ char *_libcap_strdup(const char *old)
> + errno = EINVAL;
> + return NULL;
> + }
> +-len = strlen(old) + 1 + 2*sizeof(__u32);
> +-if (len < sizeof(struct _cap_alloc_s)) {
> +- len = sizeof(struct _cap_alloc_s);
> +-}
> +-if ((len & 0x) != len) {
> ++
> ++len = strlen(old);
> ++if ((len & 0x3fff) != len) {
> + _cap_debug("len is too long for libcap to manage");
> + errno = EINVAL;
> + return NULL;
> + }
> ++len += 1 + 2*sizeof(__u32);
> ++if (len < sizeof(struct _cap_alloc_s)) {
> ++ len = sizeof(struct _cap_alloc_s);
> ++}
> +
> + raw_data = calloc(1, len);
> + if (raw_data == NULL) {
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-support/libcap/libcap_2.66.bb
> b/meta/recipes-support/libcap/libcap_2.66.bb
> index c50e9d8cc7..844ae58506 100644
> --- a/meta/recipes-support/libcap/libcap_2.66.bb
> +++ b/meta/recipes-support/libcap/libcap_2.66.bb
> @@ -19,6 +19,7 @@ SRC_URI =
> "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
> "
> SRC_URI:append:class-nativesdk = " \
>
> file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
> + file://CVE-2023-2603.patch \
Did you really intend for this patch only to be applied for class-nativesdk?
Steve
> "
> SRC_URI[sha256sum] =
> "15c40ededb3003d70a283fe587a36b7d19c8b3b554e33f86129c059a4bb466b2"
>
> --
> 2.25.1
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183423):
https://lists.openembedded.org/g/openembedded-core/message/183423
Mute This Topic: https://lists.openembedded.org/mt/99787652/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-