SB2025022510 - Improper input validation in libcap

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2025-1390)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing groups names. The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. A local user can use this vulnerability to escalate privileges on systems where "/etc/security/capability.conf" is used to configure user inherited privileges by constructing specific usernames.

Remediation

Install update from vendor's website.

References

• https://bugzilla.openanolis.cn/show_bug.cgi?id=18804
• https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878
• https://gitee.com/src-anolis-os/libcap/pulls/12