update: libcap #1652

dongsupark · 2025-02-18T10:18:21Z

Name: libcap
CVEs: CVE-2025-1390
CVSSs: 6.1
Action Needed: TBD

Summary: The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

See also https://bugzilla.redhat.com/show_bug.cgi?id=2346212, https://bugzilla.openanolis.cn/show_bug.cgi?id=18804.

refmap.gentoo: TBD

dongsupark added advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns labels Feb 18, 2025

dongsupark added this to Flatcar tactical, release planning, and roadmap Feb 18, 2025

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Feb 18, 2025

dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Feb 18, 2025

github-actions bot mentioned this issue Feb 22, 2025

Monthly contributions report 2025-01-22 - 2025-02-21 #1658

Open

krnowak mentioned this issue Feb 25, 2025

Weekly portage-stable package updates 2025-02-24 flatcar/scripts#2682

Merged

2 tasks

krnowak closed this as completed in flatcar/scripts#2682 Feb 28, 2025

github-project-automation bot moved this from 🪵Backlog to Implemented in Flatcar tactical, release planning, and roadmap Feb 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update: libcap #1652

update: libcap #1652

dongsupark commented Feb 18, 2025

update: libcap #1652

update: libcap #1652

Comments

dongsupark commented Feb 18, 2025