Bug 217410

Summary: [libcap-2.69] Fix the 5 issues in libcap and friends found by a recent security audit
Product: Tools Reporter: Andrew G. Morgan (morgan)
Component: libcapAssignee: Andrew G. Morgan (morgan)
Status: RESOLVED CODE_FIX    
Severity: blocking    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Andrew G. Morgan 2023-05-06 21:07:22 UTC 
A recent audit was performed on libcap and friends by https://x41-dsec.de/ . (The audit was sponsored by the the Open Source Technology Improvement Fund (https://ostif.org/).

The audit detected 5 issues labeled as follows:

 LCAP-CR-23-01 - (SEVERITY) LOW 
 LCAP-CR-23-02 - (SEVERITY) MEDIUM
LCAP-CR-23-100 - (SEVERITY) NONE
LCAP-CR-23-101 - (SEVERITY) NONE
LCAP-CR-23-102 - (SEVERITY) NONE

I plan to release fixes for all of these with libcap-2.69.
Comment 1 Andrew G. Morgan 2023-05-07 03:29:26 UTC 
On closer inspection, I will not be addressing LCAP-CR-23-102 in the libcap-2.69 release. As noted, is has no severity, and so I feel it can benefit from further thought and investigation.
Comment 2 Andrew G. Morgan 2023-05-08 01:33:20 UTC 
My plan is to push the fixes and cut a libcap-2.69 release on 2023-05-15.
Comment 3 Andrew G. Morgan 2023-05-13 18:40:19 UTC 
These two issues have been assigned CVE ids:

 LCAP-CR-23-01 - (SEVERITY) LOW     -> CVE-2023-2602
 LCAP-CR-23-02 - (SEVERITY) MEDIUM  -> CVE-2023-2603
Comment 4 Andrew G. Morgan 2023-05-24 03:43:41 UTC 
The LCAP-CR-23-102 issue is the subject of https://bugzilla.kernel.org/show_bug.cgi?id=217476

libcap-2.69 was released a week ago.