[AUTO-CHERRYPICK] Patch libcap for CVE-2025-1390 [Medium] - branch main (#12585)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/libcap/CVE-2025-1390.patch

@@ -0,0 +1,31 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
+-- 
+cgit 1.2.3-korg

SPECS/libcap/libcap.spec

@@ -1,7 +1,7 @@
 Summary:        Libcap
 Name:           libcap
 Version:        2.60
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 Group:          System Environment/Security
 URL:            https://www.gnu.org/software/hurd/community/gsoc/project_ideas/libcap.html
@@ -10,6 +10,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Patch0:         CVE-2023-2602.patch
 Patch1:         CVE-2023-2603.patch
+Patch2:         CVE-2025-1390.patch
 
 %description
 The libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available
@@ -60,6 +61,9 @@ sed -i "s|pass_capsh --chroot=\$(/bin/pwd) ==||g" quicktest.sh
 %{_mandir}/man3/*
 
 %changelog
+* Sun Feb 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.60-3
+- Patch CVE-2025-1390
+
 * Thu Jun 15 2023 Henry Li <lihl@microsoft.com> - 2.60-2
 - Add patch to resolve CVE-2023-2602 and CVE-2023-2603
 - Use autosetup

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -170,8 +170,8 @@ openssl-devel-1.1.1k-35.cm2.aarch64.rpm
 openssl-libs-1.1.1k-35.cm2.aarch64.rpm
 openssl-perl-1.1.1k-35.cm2.aarch64.rpm
 openssl-static-1.1.1k-35.cm2.aarch64.rpm
-libcap-2.60-2.cm2.aarch64.rpm
-libcap-devel-2.60-2.cm2.aarch64.rpm
+libcap-2.60-3.cm2.aarch64.rpm
+libcap-devel-2.60-3.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
 libarchive-3.6.1-4.cm2.aarch64.rpm
 libarchive-devel-3.6.1-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -170,8 +170,8 @@ openssl-devel-1.1.1k-35.cm2.x86_64.rpm
 openssl-libs-1.1.1k-35.cm2.x86_64.rpm
 openssl-perl-1.1.1k-35.cm2.x86_64.rpm
 openssl-static-1.1.1k-35.cm2.x86_64.rpm
-libcap-2.60-2.cm2.x86_64.rpm
-libcap-devel-2.60-2.cm2.x86_64.rpm
+libcap-2.60-3.cm2.x86_64.rpm
+libcap-devel-2.60-3.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
 libarchive-3.6.1-4.cm2.x86_64.rpm
 libarchive-devel-3.6.1-4.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -151,9 +151,9 @@ libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm
 libbacktrace-static-11.2.0-8.cm2.aarch64.rpm
-libcap-2.60-2.cm2.aarch64.rpm
-libcap-debuginfo-2.60-2.cm2.aarch64.rpm
-libcap-devel-2.60-2.cm2.aarch64.rpm
+libcap-2.60-3.cm2.aarch64.rpm
+libcap-debuginfo-2.60-3.cm2.aarch64.rpm
+libcap-devel-2.60-3.cm2.aarch64.rpm
 libcap-ng-0.8.2-2.cm2.aarch64.rpm
 libcap-ng-debuginfo-0.8.2-2.cm2.aarch64.rpm
 libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -157,9 +157,9 @@ libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm
 libbacktrace-static-11.2.0-8.cm2.x86_64.rpm
-libcap-2.60-2.cm2.x86_64.rpm
-libcap-debuginfo-2.60-2.cm2.x86_64.rpm
-libcap-devel-2.60-2.cm2.x86_64.rpm
+libcap-2.60-3.cm2.x86_64.rpm
+libcap-debuginfo-2.60-3.cm2.x86_64.rpm
+libcap-devel-2.60-3.cm2.x86_64.rpm
 libcap-ng-0.8.2-2.cm2.x86_64.rpm
 libcap-ng-debuginfo-0.8.2-2.cm2.x86_64.rpm
 libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm