Bug 217410 - [libcap-2.69] Fix the 5 issues in libcap and friends found by a recent security audit
Summary: [libcap-2.69] Fix the 5 issues in libcap and friends found by a recent securi...
Status: RESOLVED CODE_FIX
Alias: None
Product: Tools
Classification: Unclassified
Component: libcap (show other bugs)
Hardware: All Linux
: P1 blocking
Assignee: Andrew G. Morgan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-06 21:07 UTC by Andrew G. Morgan
Modified: 2023-05-24 03:43 UTC (History)
0 users

See Also:
Kernel Version:
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrew G. Morgan 2023-05-06 21:07:22 UTC 
A recent audit was performed on libcap and friends by https://x41-dsec.de/ . (The audit was sponsored by the the Open Source Technology Improvement Fund (https://ostif.org/).

The audit detected 5 issues labeled as follows:

 LCAP-CR-23-01 - (SEVERITY) LOW 
 LCAP-CR-23-02 - (SEVERITY) MEDIUM
LCAP-CR-23-100 - (SEVERITY) NONE
LCAP-CR-23-101 - (SEVERITY) NONE
LCAP-CR-23-102 - (SEVERITY) NONE

I plan to release fixes for all of these with libcap-2.69.
Comment 1 Andrew G. Morgan 2023-05-07 03:29:26 UTC 
On closer inspection, I will not be addressing LCAP-CR-23-102 in the libcap-2.69 release. As noted, is has no severity, and so I feel it can benefit from further thought and investigation.
Comment 2 Andrew G. Morgan 2023-05-08 01:33:20 UTC 
My plan is to push the fixes and cut a libcap-2.69 release on 2023-05-15.
Comment 3 Andrew G. Morgan 2023-05-13 18:40:19 UTC 
These two issues have been assigned CVE ids:

 LCAP-CR-23-01 - (SEVERITY) LOW     -> CVE-2023-2602
 LCAP-CR-23-02 - (SEVERITY) MEDIUM  -> CVE-2023-2603
Comment 4 Andrew G. Morgan 2023-05-24 03:43:41 UTC 
The LCAP-CR-23-102 issue is the subject of https://bugzilla.kernel.org/show_bug.cgi?id=217476

libcap-2.69 was released a week ago.
Note You need to log in before you can comment on or make changes to this bug.