libcap/backport-There-was-a-small-memory-leak-in-pam_cap.so-when-lib.patch

From 917c8b5d3450870b4f25fd4a5a5198faa9de9aeb Mon Sep 17 00:00:00 2001
From: "Andrew G. Morgan" <morgan@kernel.org>
Date: Wed, 3 May 2023 20:12:52 -0700
Subject: [PATCH] There was a small memory leak in pam_cap.so when libpam
 returned an error.

The function pam_set_data() takes ownership of a memory pointer if
the call succeeds, but does not take that ownership if the function
fails. Previously, the failure caused no deferred capability setting and
a return code PAM_IGNORE. It continues to do that in this case, but no
longer leaks the allocated iab memory.

This bug was introduced with deferred IAB capability setting support in
libcap-2.58.

Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH
(https://x41-dsec.de/) who performed a security audit of the libcap
source code in April of 2023. The audit was sponsored by the Open
Source Technology Improvement Fund (https://ostif.org/).

Audit ref: LCAP-CR-23-100

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
 pam_cap/pam_cap.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index 7e8cade..91278dc 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -290,7 +290,12 @@ static int set_capabilities(struct pam_cap_s *cs)
 
     if (cs->defer) {
 	D(("configured to delay applying IAB"));
-	pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
+	int ret = pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
+	if (ret != PAM_SUCCESS) {
+	    D(("unable to cache capabilities for delayed setting: %d", ret));
+	    /* since ok=0, the module will return PAM_IGNORE */
+	    cap_free(iab);
+	}
 	iab = NULL;
     } else if (!cap_iab_set_proc(iab)) {
 	D(("able to set the IAB [%s] value", conf_caps));
-- 
2.27.0