From c8c8c079b4c3497c8ed555411cd76f6743ee296b Mon Sep 17 00:00:00 2001
From: Linux_zhang <zhangruifang1@h-partners.com>
Date: Tue, 4 Mar 2025 11:45:00 +0800
Subject: [PATCH] fix CVE-2025-1390

(cherry picked from commit 17701297e5a3726cfb75ff0de4a76d0af4af0421)
---
 ...otential-configuration-parsing-error.patch | 32 +++++++++++++++++++
 libcap.spec                                   |  7 ++--
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch

diff --git a/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch b/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch
new file mode 100644
index 0000000..c143fee
--- /dev/null
+++ b/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch
@@ -0,0 +1,32 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: [PATCH] pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
+-- 
+2.33.0
+
diff --git a/libcap.spec b/libcap.spec
index 70cb3bc..14cdb4e 100644
--- a/libcap.spec
+++ b/libcap.spec
@@ -1,6 +1,6 @@
 Name:     libcap
 Version:  2.69
-Release:  3
+Release:  4
 Summary:  A library for getting and setting POSIX.1e draft 15 capabilities        
 License:  GPLv2
 URL:      https://sites.google.com/site/fullycapable
@@ -11,6 +11,7 @@ Patch1:   backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch
 Patch2:   support-specify-cc.patch
 Patch3:   backport-getpcaps-fix-program-name-in-help-message.patch
 Patch4:   backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch
+Patch5:   backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch
 
 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 
@@ -73,12 +74,14 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %{_mandir}/man8/*.gz
 
 %changelog
+* Tue Mar 04 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.69-4
+- fix CVE-2025-1390
+
 * Wed Mar 27 2024 yanglongkang <yanglongkang@h-partners.com> - 2.69-3
 - backport upstream patches:
   getpcaps: fix program name in help message
   Stop using _pam_overwrite() in pam_cap.c
 
-
 * Sun Apr 16 2023 jammyjellyfish <jammyjellyfish255@outlook.com> - 2.69-2
 - Support specify CC
 
-- 
Gitee