-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 24 Feb 2025 11:38:51 +0000 Source: libcap2 Architecture: source Version: 1:2.44-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Christian Kastner <ckk@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1036114 1098318 Changes: libcap2 (1:2.44-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Debian LTS team: . - CVE-2023-2602: Prevent a potential memory exhaustion vulnerability. An issue was found in pthread_create where a malicious actor could have caused the underlying __real_pthread_create() to return an error and ultimately exhausted the process memory. (Closes: #1036114) . - CVE-2023-2603: Prevent a potential integer overflow vulnerability. The issue was located in the _libcap_strdup() function which could have led to an overflow if the input string was close to 4GiB. (Closes: #1036114) . - CVE-2025-1390: Prevent a potential local provilege escalation issue. The PAM module (ie. pam_cap.so) supports group names starting with "@" — during parsing, configurations not starting with a "@" are incorrectly recognised as group names. This may have resulted in unintended users being granted an inherited capability set and thus potentially leading to security risks. However, attackers can exploit this vulnerability to achieve local privilege escalation only on systems where the /etc/security/capability.conf file is used to configure user inherited privileges by constructing specific usernames. (Closes: #1098318) Checksums-Sha1: 4d994f34c73f47a3aae1e16ef9d17ae5a6bf43a2 2212 libcap2_2.44-1+deb11u1.dsc d41c376e92f965f622faef129c1b7b155a3118d1 125568 libcap2_2.44.orig.tar.xz a77dfe483cb6124d1383d5f3ad6111084ca9da51 23004 libcap2_2.44-1+deb11u1.debian.tar.xz 5dc4660e3ea283272eeaca95a9816e2d958a4084 8115 libcap2_2.44-1+deb11u1_amd64.buildinfo Checksums-Sha256: eae49d474583738ed24f1c837d3a86f7f2ffe590ac211403c1cd581b0b4e488b 2212 libcap2_2.44-1+deb11u1.dsc 92188359cd5be86e8e5bd3f6483ac6ce582264f912398937ef763def2205c8e1 125568 libcap2_2.44.orig.tar.xz 1cb81c73eeb97a051e98ff5cc28e811d45ae356d6b3c9954be68a7878776bec3 23004 libcap2_2.44-1+deb11u1.debian.tar.xz c6990e506d944e7021f8110b951bc02f86f7d2527a10824a4db598b12823b096 8115 libcap2_2.44-1+deb11u1_amd64.buildinfo Files: 1a2e0ad50787e9d550ced24467473a32 2212 libs optional libcap2_2.44-1+deb11u1.dsc 46ab71759e17a07efa920692ac2f714d 125568 libs optional libcap2_2.44.orig.tar.xz 3c67b530a9aee70877f7014f6f542be2 23004 libs optional libcap2_2.44-1+deb11u1.debian.tar.xz 350ad4704284d1f44df487de0aa895bd 8115 libs optional libcap2_2.44-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmfkCk4ACgkQHpU+J9Qx Hlhfdw//SGfH0F9SJrSwa7OvGfmrfdu25q3fqshJdMcv98y96vYwTnPOGjyKXfSu hTiI04GzCfMAN2yW3kFi4V+lXIGweHwP7pbLqGDUWWx7QmBdx6TPTrYDgp0Ktco+ xVBxxDiiS3rXakl8pBSMILszwrrP+sTwzAab5W6DXjMrfK8dAwiOyJbbnOVXiIhA AHAI546NZ27wn+39V25aQj9y9Rn8//UACfdKJcO3D4zeQr5naxOXEi9Ug8aMDnWU tFOh7o3w1WOBY4EImm2WGKTohjFP+eFh7ILqA4xRh5k9la4pk6Gm0ZDPCsk6ku6Q EZRQlQsOkoh7mTiSH333Joa9+su7/BMI7EqO0tmn7M7+m89ct0q5BBy4Y9v6dTjX k2wVWVujN/oouOJ/5iLxVzPbOjxHzuUOzuCsdAn9BONzTLVc6KMwEOQ7j6W8SaX4 oOVcEQQZE6S1rcK3C/T6AiLO8jhD00v5qsvTNSSI6KUa39JFkh/0IVBEwzShPucn Gy69hvqukiKg69S0IEoMVzl8JYHTMreIQg3JE0utIkWNwdMPd6tj5iPDUlyW4eE8 z5CD1g6D8j9L8VyXGgpb+3pu0g2BIfZ6JYX58s0J148jjF29k+dLR7pcYoA8dKOA ks9Gnj06o68Wl9BRZmRW6vCiqO7m3KqGeFrUk3369WXvV6rgRos= =Q440 -----END PGP SIGNATURE-----