diff --git a/backport-Address-some-static-analysis-observations.patch b/backport-Address-some-static-analysis-observations.patch deleted file mode 100644 index 08f9d7774746b73838878be8654aa3facde75b65..0000000000000000000000000000000000000000 --- a/backport-Address-some-static-analysis-observations.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a044d8b496ef598c61f0634172c742bd52ccf776 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Fri, 15 Nov 2024 07:26:42 -0800 -Subject: [PATCH] Address some static analysis observations. - -These were reported by Carlos Rodriguez-Fernandez with respect -to some analysis performed on the Fedora libcap-2.71 package. - -Signed-off-by: Andrew G. Morgan ---- - libcap/execable.h | 1 + - pam_cap/pam_cap.c | 6 +++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/libcap/execable.h b/libcap/execable.h -index 7a2d247..89e61a3 100644 ---- a/libcap/execable.h -+++ b/libcap/execable.h -@@ -38,6 +38,7 @@ static void __execable_parse_args(int *argc_p, char ***argv_p) - char *new_mem = realloc(mem, size+1); - if (new_mem == NULL) { - perror("unable to parse arguments"); -+ fclose(f); - if (mem != NULL) { - free(mem); - } -diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c -index 3fe3b8c..24de329 100644 ---- a/pam_cap/pam_cap.c -+++ b/pam_cap/pam_cap.c -@@ -170,7 +170,8 @@ static char *read_capabilities_for_user(const char *user, const char *source) - - int i; - for (i=0; i < groups_n; i++) { -- if (!strcmp(groups[i], line+1)) { -+ const char *g = groups[i]; -+ if (g != NULL && !strcmp(g, line+1)) { - D(("user group matched [%s]", line)); - found_one = 1; - break; -@@ -283,6 +284,9 @@ static int set_capabilities(struct pam_cap_s *cs) - goto cleanup_cap_s; - } - conf_caps = strdup(cs->fallback); -+ if (conf_caps == NULL) { -+ goto cleanup_cap_s; -+ } - D(("user [%s] received fallback caps [%s]", cs->user, conf_caps)); - } - --- -2.33.0 - diff --git a/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch b/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch deleted file mode 100644 index c143fee9cb7c04fa8398502244580d18cff2986a..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001 -From: Tianjia Zhang -Date: Mon, 17 Feb 2025 10:31:55 +0800 -Subject: [PATCH] pam_cap: Fix potential configuration parsing error - -The current configuration parsing does not actually skip user names -that do not start with @, but instead treats the name as a group -name for further parsing, which can result in matching unexpected -capability sets and may trigger potential security issues. Only -names starting with @ should be parsed as group names. - -Signed-off-by: Tianjia Zhang -Signed-off-by: Andrew G. Morgan ---- - pam_cap/pam_cap.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c -index 24de329..3ec99bb 100644 ---- a/pam_cap/pam_cap.c -+++ b/pam_cap/pam_cap.c -@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source) - - if (line[0] != '@') { - D(("user [%s] is not [%s] - skipping", user, line)); -+ continue; - } - - int i; --- -2.33.0 - diff --git a/backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch b/backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch deleted file mode 100644 index 0764288d6983c2cf12374d3c8237b800bc93e1ad..0000000000000000000000000000000000000000 --- a/backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ee20d385ef319f8523f1debc49f375c8eff257a6 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Fri, 22 Dec 2023 06:37:02 -0800 -Subject: Stop using _pam_overwrite() in pam_cap.c. - -It looks like the Linux-PAM folk have deprecated this macro. Compiler optimization -is hard to account for: apparently this explicit deletion is no longer -guaranteed to work. This function was marked deprecated in v1.5.3 of Linux-PAM. - -I've replaced its use with memset(). I'm not convinced that that will be honored -either, but remain hopeful and prefer to leave the code explicit in its intent -without a deprecation warning messing up the build log. Should some compiler -optimize it away and it leads to an exploit of some sort, it can be revealed as -a compilation bug. - -Signed-off-by: Andrew G. Morgan ---- - pam_cap/pam_cap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c -index b9419cb..3fe3b8c 100644 ---- a/pam_cap/pam_cap.c -+++ b/pam_cap/pam_cap.c -@@ -199,7 +199,7 @@ defer: - int i; - for (i = 0; i < groups_n; i++) { - char *g = groups[i]; -- _pam_overwrite(g); -+ memset(g, 0, strlen(g)); - _pam_drop(g); - } - if (groups != NULL) { -@@ -440,7 +440,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, - small race associated with a redundant read of the - config. */ - -- _pam_overwrite(conf_caps); -+ memset(conf_caps, 0, strlen(conf_caps)); - _pam_drop(conf_caps); - - return PAM_SUCCESS; --- -cgit 1.2.3-korg - diff --git a/backport-getpcaps-fix-program-name-in-help-message.patch b/backport-getpcaps-fix-program-name-in-help-message.patch deleted file mode 100644 index e13d8c30e13777980b6156e2e73648172a6215e9..0000000000000000000000000000000000000000 --- a/backport-getpcaps-fix-program-name-in-help-message.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 17c5e89521fd0455a8f18563eb37e5ddbc7d34cb Mon Sep 17 00:00:00 2001 -From: Jakub Wilk -Date: Mon, 29 Jan 2024 11:33:40 +0100 -Subject: getpcaps: fix program name in help message - -Signed-off-by: Jakub Wilk -Signed-off-by: Andrew G. Morgan ---- - progs/getpcaps.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/progs/getpcaps.c b/progs/getpcaps.c -index 7e14c36..b4cbda8 100644 ---- a/progs/getpcaps.c -+++ b/progs/getpcaps.c -@@ -14,7 +14,7 @@ - static void usage(int code) - { - fprintf(stderr, --"usage: getcaps [opts] [ ...]\n\n" -+"usage: getpcaps [opts] [ ...]\n\n" - " This program displays the capabilities on the queried process(es).\n" - " The capabilities are displayed in the cap_from_text(3) format.\n" - "\n" --- -cgit 1.2.3-korg - diff --git a/libcap-2.69.tar.gz b/libcap-2.69.tar.gz deleted file mode 100644 index ade15d691788330ded422700cbe7923b4ff33924..0000000000000000000000000000000000000000 Binary files a/libcap-2.69.tar.gz and /dev/null differ diff --git a/libcap-2.76.tar.gz b/libcap-2.76.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..913b125458d6ced1cdf5173ac93db5f9eb143e2f Binary files /dev/null and b/libcap-2.76.tar.gz differ diff --git a/libcap.spec b/libcap.spec index 69805d4a4b2e5ec8817d30fbba52249c17e37737..370d750028c3e0fba553dd14e79548044890e232 100644 --- a/libcap.spec +++ b/libcap.spec @@ -1,6 +1,6 @@ Name: libcap -Version: 2.69 -Release: 5 +Version: 2.76 +Release: 1 Summary: A library for getting and setting POSIX.1e draft 15 capabilities License: GPLv2 URL: https://sites.google.com/site/fullycapable @@ -9,10 +9,6 @@ Source0: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{n Patch0: libcap-buildflags.patch Patch1: backport-libcap-Ensure-the-XATTR_NAME_CAPS-is-define.patch Patch2: support-specify-cc.patch -Patch3: backport-getpcaps-fix-program-name-in-help-message.patch -Patch4: backport-Stop-using-_pam_overwrite-in-pam_cap.c.patch -Patch5: backport-CVE-2025-1390-pam_cap-Fix-potential-configuration-parsing-error.patch -Patch6: backport-Address-some-static-analysis-observations.patch BuildRequires: libattr-devel pam-devel perl-interpreter gcc @@ -73,8 +69,13 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %{_mandir}/man3/*.gz %{_mandir}/man1/*.gz %{_mandir}/man8/*.gz +%{_mandir}/man5/*.gz +%{_mandir}/man7/*.gz %changelog +* Fri Oct 10 2025 Xu Raoqing - 2.76-1 +- update to 2.76 + * Thu Mar 13 2025 yixiangzhike - 2.69-5 - backport upstream patch to address some static analysis observations diff --git a/support-specify-cc.patch b/support-specify-cc.patch index 3665656fbeca374554c4abdbde27c70f357ba3d7..ba9c3b9c1a892064caf450c80e01be43b6f401d6 100644 --- a/support-specify-cc.patch +++ b/support-specify-cc.patch @@ -1,12 +1,26 @@ -diff -up libcap-2.66/Make.Rules.orig2 libcap-2.66/Make.Rules ---- libcap-2.66/Make.Rules.orig2 2023-04-16 17:46:55.922279005 +0800 -+++ libcap-2.66/Make.Rules 2023-04-16 17:46:13.518097014 +0800 -@@ -66,7 +66,7 @@ DEFINES := -D_LARGEFILE64_SOURCE -D_FILE - SYSTEM_HEADERS = /usr/include - - SUDO := sudo --CC := $(CROSS_COMPILE)gcc -+CC ?= $(CROSS_COMPILE)gcc - LD := $(CC) -Wl,-x -shared - AR := $(CROSS_COMPILE)ar - RANLIB := $(CROSS_COMPILE)ranlib +From 85d268e1053b485de5f246980c747a6341bf87e4 Mon Sep 17 00:00:00 2001 +From: Super User +Date: Fri, 10 Oct 2025 17:12:56 +0800 +Subject: [PATCH] support specify cc + +Signed-off-by: Xu Raoqing +--- + Make.Rules | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Make.Rules b/Make.Rules +index 6d5a5f0..4e43fbf 100644 +--- a/Make.Rules ++++ b/Make.Rules +@@ -65,7 +65,7 @@ LIBCAP_INCLUDES = -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include + DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 + + SUDO := sudo +-CC := $(CROSS_COMPILE)gcc ++CC ?= $(CROSS_COMPILE)gcc + LD := $(CC) -Wl,-x -shared -Wl,-shared + AR := $(CROSS_COMPILE)ar + RANLIB := $(CROSS_COMPILE)ranlib +-- +2.48.1 +