Openembedded Core Discussions
 help / color / mirror / Atom feed
* [OE-core][scarthgap][PATCH] libcap: Fix CVE-2026-4878
@ 2026-05-20  9:14 hsimeliere.opensource
  2026-07-06 13:20 ` Yoann Congal
  0 siblings, 1 reply; 5+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  9:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596
[2] https://security-tracker.debian.org/tracker/CVE-2026-4878

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../libcap/files/CVE-2026-4878.patch          | 164 ++++++++++++++++++
 meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
 2 files changed, 165 insertions(+)
 create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch

diff --git a/meta/recipes-support/libcap/files/CVE-2026-4878.patch b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
new file mode 100644
index 0000000000..dcc63d93a5
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
@@ -0,0 +1,164 @@
+From f17734c6b0f4fd102fe4f7e863cb1165f8ec66e2 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Thu, 12 Mar 2026 07:38:05 -0700
+Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file().
+
+This issue was researched and reported by Ali Raza (@locus-x64). It
+has been assigned CVE-2026-4878.
+
+The finding is that while cap_set_file() checks if a file is a regular
+file before applying or removing a capability attribute, a small
+window existed after that check when the filepath could be overwritten
+either with new content or a symlink to some other file. To do this
+would imply that the caller of cap_set_file() was directing it to a
+directory over which a local attacker has write access, and performed
+the operation frequently enough that an attacker had a non-negligible
+chance of exploiting the race condition. The code now locks onto the
+intended file, eliminating the race condition.
+
+CVE: CVE-2026-4878
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596]
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+(cherry picked from commit 286ace1259992bd0c5d9016715833f2e148ac596)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ libcap/cap_file.c  | 69 +++++++++++++++++++++++++++++++++++++++-------
+ progs/quicktest.sh | 14 +++++++++-
+ 2 files changed, 72 insertions(+), 11 deletions(-)
+
+diff --git a/libcap/cap_file.c b/libcap/cap_file.c
+index 0bc07f7..f02bf9f 100644
+--- a/libcap/cap_file.c
++++ b/libcap/cap_file.c
+@@ -8,8 +8,13 @@
+ #define _DEFAULT_SOURCE
+ #endif
+ 
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
+ #include <sys/types.h>
+ #include <byteswap.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+ 
+@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d)
+     struct vfs_ns_cap_data rawvfscap;
+     int sizeofcaps;
+     struct stat buf;
++    char fdpath[64];
++    int fd, ret;
++
++    _cap_debug("setting filename capabilities");
++    fd = open(filename, O_RDONLY|O_NOFOLLOW);
++    if (fd >= 0) {
++	ret = cap_set_fd(fd, cap_d);
++	close(fd);
++	return ret;
++    }
+ 
+-    if (lstat(filename, &buf) != 0) {
+-	_cap_debug("unable to stat file [%s]", filename);
++    /*
++     * Attempting to set a file capability on a file the process can't
++     * read the content of. This is considered a non-standard use case
++     * and the following (slower) code is complicated because it is
++     * trying to avoid a TOCTOU race condition.
++     */
++
++    fd = open(filename, O_PATH|O_NOFOLLOW);
++    if (fd < 0) {
++	_cap_debug("cannot find file at path [%s]", filename);
++	return -1;
++    }
++    if (fstat(fd, &buf) != 0) {
++	_cap_debug("unable to stat file [%s] descriptor %d",
++		   filename, fd);
++	close(fd);
+ 	return -1;
+     }
+     if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+-	_cap_debug("file [%s] is not a regular file", filename);
++	_cap_debug("file [%s] descriptor %d for non-regular file",
++		   filename, fd);
++	close(fd);
+ 	errno = EINVAL;
+ 	return -1;
+     }
+ 
+-    if (cap_d == NULL) {
+-	_cap_debug("removing filename capabilities");
+-	return removexattr(filename, XATTR_NAME_CAPS);
++    /*
++     * While the fd remains open, this named file is locked to the
++     * origin regular file. The size of the fdpath variable is
++     * sufficient to support a 160+ bit number.
++     */
++    if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd)
++	>= sizeof(fdpath)) {
++	_cap_debug("file descriptor too large %d", fd);
++	errno = EINVAL;
++	ret = -1;
++
++    } else if (cap_d == NULL) {
++	_cap_debug("dropping file caps on [%s] via [%s]",
++		   filename, fdpath);
++	ret = removexattr(fdpath, XATTR_NAME_CAPS);
++
+     } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+-	return -1;
+-    }
++	_cap_debug("problem converting cap_d to vfscap format");
++	ret = -1;
+ 
+-    _cap_debug("setting filename capabilities");
+-    return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
++    } else {
++	_cap_debug("setting filename capabilities");
++	ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,
++		       sizeofcaps, 0);
++    }
++    close(fd);
++    return ret;
+ }
+ 
+ /*
+diff --git a/progs/quicktest.sh b/progs/quicktest.sh
+index 59e16b0..bb49d53 100755
+--- a/progs/quicktest.sh
++++ b/progs/quicktest.sh
+@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current
+ pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current
+ 
+ # change the way the capability is obtained (make it inheritable)
++chmod 0000 ./privileged
+ ./setcap cap_setuid,cap_setgid=ei ./privileged
++if [ $? -ne 0 ]; then
++    echo "FAILED to set file capability"
++    exit 1
++fi
++chmod 0755 ./privileged
++ln -s privileged unprivileged
++./setcap -r ./unprivileged
++if [ $? -eq 0 ]; then
++    echo "FAILED by removing a capability from a symlinked file"
++    exit 1
++fi
+ 
+ # Note, the bounding set (edited with --drop) only limits p
+ # capabilities, not i's.
+@@ -246,7 +258,7 @@ EOF
+     pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid'
+     fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid'
+ fi
+-/bin/rm -f ./privileged
++/bin/rm -f ./privileged ./unprivileged
+ 
+ echo "testing namespaced file caps"
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/libcap/libcap_2.69.bb b/meta/recipes-support/libcap/libcap_2.69.bb
index 03975b44a0..43185f027e 100644
--- a/meta/recipes-support/libcap/libcap_2.69.bb
+++ b/meta/recipes-support/libcap/libcap_2.69.bb
@@ -16,6 +16,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
            file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
            file://0002-tests-do-not-run-target-executables.patch \
            file://CVE-2025-1390.patch \
+           file://CVE-2026-4878.patch \
            "
 SRC_URI:append:class-nativesdk = " \
            file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [OE-core] [scarthgap] [PATCH] libcap: Fix CVE-2026-4878
@ 2026-06-01 13:42 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
  2026-06-08 14:44 ` Jeremy Rosen
  0 siblings, 1 reply; 5+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-01 13:42 UTC (permalink / raw)
  To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare

From: Anil Dongare <adongare@cisco.com>

Pick the upstream patch [1] as mentioned in [2].

[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=286ace1259992bd0c5d9016715833f2e148ac596
[2] https://security-tracker.debian.org/tracker/CVE-2026-4878

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 .../libcap/files/CVE-2026-4878.patch          | 162 ++++++++++++++++++
 meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
 2 files changed, 163 insertions(+)
 create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch

diff --git a/meta/recipes-support/libcap/files/CVE-2026-4878.patch b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
new file mode 100644
index 0000000000..827e41b8a0
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
@@ -0,0 +1,162 @@
+From 286ace1259992bd0c5d9016715833f2e148ac596 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Thu, 12 Mar 2026 07:38:05 -0700
+Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file().
+
+This issue was researched and reported by Ali Raza (@locus-x64). It
+has been assigned CVE-2026-4878.
+
+The finding is that while cap_set_file() checks if a file is a regular
+file before applying or removing a capability attribute, a small
+window existed after that check when the filepath could be overwritten
+either with new content or a symlink to some other file. To do this
+would imply that the caller of cap_set_file() was directing it to a
+directory over which a local attacker has write access, and performed
+the operation frequently enough that an attacker had a non-negligible
+chance of exploiting the race condition. The code now locks onto the
+intended file, eliminating the race condition.
+
+CVE: CVE-2026-4878
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596]
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+(cherry picked from commit 286ace1259992bd0c5d9016715833f2e148ac596)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ libcap/cap_file.c  | 69 +++++++++++++++++++++++++++++++++++++++-------
+ progs/quicktest.sh | 14 +++++++++-
+ 2 files changed, 72 insertions(+), 11 deletions(-)
+
+diff --git a/libcap/cap_file.c b/libcap/cap_file.c
+index 0bc07f7..f02bf9f 100644
+--- a/libcap/cap_file.c
++++ b/libcap/cap_file.c
+@@ -8,8 +8,13 @@
+ #define _DEFAULT_SOURCE
+ #endif
+ 
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
+ #include <sys/types.h>
+ #include <byteswap.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+ 
+@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d)
+     struct vfs_ns_cap_data rawvfscap;
+     int sizeofcaps;
+     struct stat buf;
++    char fdpath[64];
++    int fd, ret;
++
++    _cap_debug("setting filename capabilities");
++    fd = open(filename, O_RDONLY|O_NOFOLLOW);
++    if (fd >= 0) {
++	ret = cap_set_fd(fd, cap_d);
++	close(fd);
++	return ret;
++    }
+ 
+-    if (lstat(filename, &buf) != 0) {
+-	_cap_debug("unable to stat file [%s]", filename);
++    /*
++     * Attempting to set a file capability on a file the process can't
++     * read the content of. This is considered a non-standard use case
++     * and the following (slower) code is complicated because it is
++     * trying to avoid a TOCTOU race condition.
++     */
++
++    fd = open(filename, O_PATH|O_NOFOLLOW);
++    if (fd < 0) {
++	_cap_debug("cannot find file at path [%s]", filename);
++	return -1;
++    }
++    if (fstat(fd, &buf) != 0) {
++	_cap_debug("unable to stat file [%s] descriptor %d",
++		   filename, fd);
++	close(fd);
+ 	return -1;
+     }
+     if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+-	_cap_debug("file [%s] is not a regular file", filename);
++	_cap_debug("file [%s] descriptor %d for non-regular file",
++		   filename, fd);
++	close(fd);
+ 	errno = EINVAL;
+ 	return -1;
+     }
+ 
+-    if (cap_d == NULL) {
+-	_cap_debug("removing filename capabilities");
+-	return removexattr(filename, XATTR_NAME_CAPS);
++    /*
++     * While the fd remains open, this named file is locked to the
++     * origin regular file. The size of the fdpath variable is
++     * sufficient to support a 160+ bit number.
++     */
++    if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd)
++	>= sizeof(fdpath)) {
++	_cap_debug("file descriptor too large %d", fd);
++	errno = EINVAL;
++	ret = -1;
++
++    } else if (cap_d == NULL) {
++	_cap_debug("dropping file caps on [%s] via [%s]",
++		   filename, fdpath);
++	ret = removexattr(fdpath, XATTR_NAME_CAPS);
++
+     } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+-	return -1;
+-    }
++	_cap_debug("problem converting cap_d to vfscap format");
++	ret = -1;
+ 
+-    _cap_debug("setting filename capabilities");
+-    return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
++    } else {
++	_cap_debug("setting filename capabilities");
++	ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,
++		       sizeofcaps, 0);
++    }
++    close(fd);
++    return ret;
+ }
+ 
+ /*
+diff --git a/progs/quicktest.sh b/progs/quicktest.sh
+index e6c48e6..5dc72f9 100755
+--- a/progs/quicktest.sh
++++ b/progs/quicktest.sh
+@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current
+ pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current
+ 
+ # change the way the capability is obtained (make it inheritable)
++chmod 0000 ./privileged
+ ./setcap cap_setuid,cap_setgid=ei ./privileged
++if [ $? -ne 0 ]; then
++    echo "FAILED to set file capability"
++    exit 1
++fi
++chmod 0755 ./privileged
++ln -s privileged unprivileged
++./setcap -r ./unprivileged
++if [ $? -eq 0 ]; then
++    echo "FAILED by removing a capability from a symlinked file"
++    exit 1
++fi
+ 
+ # Note, the bounding set (edited with --drop) only limits p
+ # capabilities, not i's.
+@@ -246,7 +258,7 @@ EOF
+     pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid'
+     fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid'
+ fi
+-/bin/rm -f ./privileged
++/bin/rm -f ./privileged ./unprivileged
+ 
+ echo "testing namespaced file caps"
+ 
+-- 
diff --git a/meta/recipes-support/libcap/libcap_2.69.bb b/meta/recipes-support/libcap/libcap_2.69.bb
index 03975b44a0..43185f027e 100644
--- a/meta/recipes-support/libcap/libcap_2.69.bb
+++ b/meta/recipes-support/libcap/libcap_2.69.bb
@@ -16,6 +16,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
            file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
            file://0002-tests-do-not-run-target-executables.patch \
            file://CVE-2025-1390.patch \
+           file://CVE-2026-4878.patch \
            "
 SRC_URI:append:class-nativesdk = " \
            file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
-- 
2.44.4



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [OE-core] [scarthgap] [PATCH] libcap: Fix CVE-2026-4878
  2026-06-01 13:42 [OE-core] [scarthgap] [PATCH] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-08 14:44 ` Jeremy Rosen
  2026-07-06 16:44   ` Yoann Congal
  0 siblings, 1 reply; 5+ messages in thread
From: Jeremy Rosen @ 2026-06-08 14:44 UTC (permalink / raw)
  To: adongare, openembedded-core; +Cc: xe-linux-external, to

Hello Anil

from what I can tell, this CVE was fixed in master but not in wrynose
please submit a patch for wrynose then ping this thread so we can apply
to scarthgap


thanks a lot
Jeremy


On Mon Jun 1, 2026 at 3:42 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=286ace1259992bd0c5d9016715833f2e148ac596
> [2] https://security-tracker.debian.org/tracker/CVE-2026-4878
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
>  .../libcap/files/CVE-2026-4878.patch          | 162 ++++++++++++++++++
>  meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
>  2 files changed, 163 insertions(+)
>  create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch
>
> diff --git a/meta/recipes-support/libcap/files/CVE-2026-4878.patch b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
> new file mode 100644
> index 0000000000..827e41b8a0
> --- /dev/null
> +++ b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
> @@ -0,0 +1,162 @@
> +From 286ace1259992bd0c5d9016715833f2e148ac596 Mon Sep 17 00:00:00 2001
> +From: "Andrew G. Morgan" <morgan@kernel.org>
> +Date: Thu, 12 Mar 2026 07:38:05 -0700
> +Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file().
> +
> +This issue was researched and reported by Ali Raza (@locus-x64). It
> +has been assigned CVE-2026-4878.
> +
> +The finding is that while cap_set_file() checks if a file is a regular
> +file before applying or removing a capability attribute, a small
> +window existed after that check when the filepath could be overwritten
> +either with new content or a symlink to some other file. To do this
> +would imply that the caller of cap_set_file() was directing it to a
> +directory over which a local attacker has write access, and performed
> +the operation frequently enough that an attacker had a non-negligible
> +chance of exploiting the race condition. The code now locks onto the
> +intended file, eliminating the race condition.
> +
> +CVE: CVE-2026-4878
> +Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596]
> +
> +Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
> +(cherry picked from commit 286ace1259992bd0c5d9016715833f2e148ac596)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + libcap/cap_file.c  | 69 +++++++++++++++++++++++++++++++++++++++-------
> + progs/quicktest.sh | 14 +++++++++-
> + 2 files changed, 72 insertions(+), 11 deletions(-)
> +
> +diff --git a/libcap/cap_file.c b/libcap/cap_file.c
> +index 0bc07f7..f02bf9f 100644
> +--- a/libcap/cap_file.c
> ++++ b/libcap/cap_file.c
> +@@ -8,8 +8,13 @@
> + #define _DEFAULT_SOURCE
> + #endif
> + 
> ++#ifndef _GNU_SOURCE
> ++#define _GNU_SOURCE
> ++#endif
> ++
> + #include <sys/types.h>
> + #include <byteswap.h>
> ++#include <fcntl.h>
> + #include <sys/stat.h>
> + #include <unistd.h>
> + 
> +@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d)
> +     struct vfs_ns_cap_data rawvfscap;
> +     int sizeofcaps;
> +     struct stat buf;
> ++    char fdpath[64];
> ++    int fd, ret;
> ++
> ++    _cap_debug("setting filename capabilities");
> ++    fd = open(filename, O_RDONLY|O_NOFOLLOW);
> ++    if (fd >= 0) {
> ++	ret = cap_set_fd(fd, cap_d);
> ++	close(fd);
> ++	return ret;
> ++    }
> + 
> +-    if (lstat(filename, &buf) != 0) {
> +-	_cap_debug("unable to stat file [%s]", filename);
> ++    /*
> ++     * Attempting to set a file capability on a file the process can't
> ++     * read the content of. This is considered a non-standard use case
> ++     * and the following (slower) code is complicated because it is
> ++     * trying to avoid a TOCTOU race condition.
> ++     */
> ++
> ++    fd = open(filename, O_PATH|O_NOFOLLOW);
> ++    if (fd < 0) {
> ++	_cap_debug("cannot find file at path [%s]", filename);
> ++	return -1;
> ++    }
> ++    if (fstat(fd, &buf) != 0) {
> ++	_cap_debug("unable to stat file [%s] descriptor %d",
> ++		   filename, fd);
> ++	close(fd);
> + 	return -1;
> +     }
> +     if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
> +-	_cap_debug("file [%s] is not a regular file", filename);
> ++	_cap_debug("file [%s] descriptor %d for non-regular file",
> ++		   filename, fd);
> ++	close(fd);
> + 	errno = EINVAL;
> + 	return -1;
> +     }
> + 
> +-    if (cap_d == NULL) {
> +-	_cap_debug("removing filename capabilities");
> +-	return removexattr(filename, XATTR_NAME_CAPS);
> ++    /*
> ++     * While the fd remains open, this named file is locked to the
> ++     * origin regular file. The size of the fdpath variable is
> ++     * sufficient to support a 160+ bit number.
> ++     */
> ++    if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd)
> ++	>= sizeof(fdpath)) {
> ++	_cap_debug("file descriptor too large %d", fd);
> ++	errno = EINVAL;
> ++	ret = -1;
> ++
> ++    } else if (cap_d == NULL) {
> ++	_cap_debug("dropping file caps on [%s] via [%s]",
> ++		   filename, fdpath);
> ++	ret = removexattr(fdpath, XATTR_NAME_CAPS);
> ++
> +     } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
> +-	return -1;
> +-    }
> ++	_cap_debug("problem converting cap_d to vfscap format");
> ++	ret = -1;
> + 
> +-    _cap_debug("setting filename capabilities");
> +-    return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
> ++    } else {
> ++	_cap_debug("setting filename capabilities");
> ++	ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,
> ++		       sizeofcaps, 0);
> ++    }
> ++    close(fd);
> ++    return ret;
> + }
> + 
> + /*
> +diff --git a/progs/quicktest.sh b/progs/quicktest.sh
> +index e6c48e6..5dc72f9 100755
> +--- a/progs/quicktest.sh
> ++++ b/progs/quicktest.sh
> +@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current
> + pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current
> + 
> + # change the way the capability is obtained (make it inheritable)
> ++chmod 0000 ./privileged
> + ./setcap cap_setuid,cap_setgid=ei ./privileged
> ++if [ $? -ne 0 ]; then
> ++    echo "FAILED to set file capability"
> ++    exit 1
> ++fi
> ++chmod 0755 ./privileged
> ++ln -s privileged unprivileged
> ++./setcap -r ./unprivileged
> ++if [ $? -eq 0 ]; then
> ++    echo "FAILED by removing a capability from a symlinked file"
> ++    exit 1
> ++fi
> + 
> + # Note, the bounding set (edited with --drop) only limits p
> + # capabilities, not i's.
> +@@ -246,7 +258,7 @@ EOF
> +     pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid'
> +     fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid'
> + fi
> +-/bin/rm -f ./privileged
> ++/bin/rm -f ./privileged ./unprivileged
> + 
> + echo "testing namespaced file caps"
> + 
> +-- 
> diff --git a/meta/recipes-support/libcap/libcap_2.69.bb b/meta/recipes-support/libcap/libcap_2.69.bb
> index 03975b44a0..43185f027e 100644
> --- a/meta/recipes-support/libcap/libcap_2.69.bb
> +++ b/meta/recipes-support/libcap/libcap_2.69.bb
> @@ -16,6 +16,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
>             file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
>             file://0002-tests-do-not-run-target-executables.patch \
>             file://CVE-2025-1390.patch \
> +           file://CVE-2026-4878.patch \
>             "
>  SRC_URI:append:class-nativesdk = " \
>             file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core][scarthgap][PATCH] libcap: Fix CVE-2026-4878
  2026-05-20  9:14 [OE-core][scarthgap][PATCH] libcap: Fix CVE-2026-4878 hsimeliere.opensource
@ 2026-07-06 13:20 ` Yoann Congal
  0 siblings, 0 replies; 5+ messages in thread
From: Yoann Congal @ 2026-07-06 13:20 UTC (permalink / raw)
  To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

On Wed May 20, 2026 at 11:14 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>
> Pick patch from [1] as mentioned in Debian report in [2].
>
> [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596
> [2] https://security-tracker.debian.org/tracker/CVE-2026-4878
>
> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
> ---
>  .../libcap/files/CVE-2026-4878.patch          | 164 ++++++++++++++++++
>  meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
>  2 files changed, 165 insertions(+)
>  create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch

Hello,

As far as I can tell, this patch is needed on wrynose.
Can you send a patch for it so I can accept this patch on scarthgap?

Thanks!
-- 
Yoann Congal
Smile ECS



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [scarthgap] [PATCH] libcap: Fix CVE-2026-4878
  2026-06-08 14:44 ` Jeremy Rosen
@ 2026-07-06 16:44   ` Yoann Congal
  0 siblings, 0 replies; 5+ messages in thread
From: Yoann Congal @ 2026-07-06 16:44 UTC (permalink / raw)
  To: jeremy.rosen, adongare, openembedded-core; +Cc: xe-linux-external, to

On Mon Jun 8, 2026 at 4:44 PM CEST, J?r?my Rosen via lists.openembedded.org wrote:
> Hello Anil
>
> from what I can tell, this CVE was fixed in master but not in wrynose
> please submit a patch for wrynose then ping this thread so we can apply
> to scarthgap

Hello Anil,

Gentle ping for this patch, do you plan to send the needed patch for
wrynose?

Thanks!
>
>
> thanks a lot
> Jeremy
>
>
> On Mon Jun 1, 2026 at 3:42 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
>> From: Anil Dongare <adongare@cisco.com>
>>
>> Pick the upstream patch [1] as mentioned in [2].
>>
>> [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=286ace1259992bd0c5d9016715833f2e148ac596
>> [2] https://security-tracker.debian.org/tracker/CVE-2026-4878
>>
>> Signed-off-by: Anil Dongare <adongare@cisco.com>
>> ---
>>  .../libcap/files/CVE-2026-4878.patch          | 162 ++++++++++++++++++
>>  meta/recipes-support/libcap/libcap_2.69.bb    |   1 +
>>  2 files changed, 163 insertions(+)
>>  create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch

-- 
Yoann Congal


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-06 16:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20  9:14 [OE-core][scarthgap][PATCH] libcap: Fix CVE-2026-4878 hsimeliere.opensource
2026-07-06 13:20 ` Yoann Congal
  -- strict thread matches above, loose matches on Subject: below --
2026-06-01 13:42 [OE-core] [scarthgap] [PATCH] " Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-08 14:44 ` Jeremy Rosen
2026-07-06 16:44   ` Yoann Congal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox