From 3dc4d09bb9f9b143f85c606dca8c8c55acd7b8d0 Mon Sep 17 00:00:00 2001
From: Shile Zhang <shile.zhang@linux.alibaba.com>
Date: Tue, 18 Feb 2025 11:13:45 +0800
Subject: [PATCH] Fix CVE-2025-1390

backport bugfix form:
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878

Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
---
 100-libcap-cve-2025-1390.patch | 32 ++++++++++++++++++++++++++++++++
 libcap.spec                    |  6 +++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 100-libcap-cve-2025-1390.patch

diff --git a/100-libcap-cve-2025-1390.patch b/100-libcap-cve-2025-1390.patch
new file mode 100644
index 0000000..839aed2
--- /dev/null
+++ b/100-libcap-cve-2025-1390.patch
@@ -0,0 +1,32 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
+-- 
+cgit 1.2.3-korg
+
diff --git a/libcap.spec b/libcap.spec
index 808a80e..b90324e 100644
--- a/libcap.spec
+++ b/libcap.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 Name:           libcap
 Version:        2.69
@@ -9,6 +9,7 @@ License:        BSD or GPLv2
 URL:            ihttps://sites.google.com/site/fullycapable/
 Source0:        https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz
 Patch0:         libcap-2.67-fix-pam-test-link-flag.patch
+Patch1:         100-libcap-cve-2025-1390.patch
 BuildRequires:  pam-devel perl-interpreter gcc make
 Conflicts:      libcap-devel < 2.69
 
@@ -75,6 +76,9 @@ mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Feb 18 2025 Shile Zhang<shile.zhang@linux.alibaba.com> - 2.69-3
+- Fix CVE-2025-1390
+
 * Wed Nov 01 2023 U2FsdGVkX1 <U2FsdGVkX1@gmail.com> - 2.69-2
 - Fix library path error of .pc file under some archs
 
-- 
Gitee