{"id":2224314,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2224314/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260417090555.93440-1-thomas.perale@mind.be/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.2/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260417090555.93440-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-17T09:05:55","name":"[2025.02.x] package/libcap: patch CVE-2026-4878","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"c887bdad54bf6b7c4c9330525ad466773940a3ba","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/1.2/people/87308/?format=json","name":"Thomas Perale","email":"thomas.perale@mind.be"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260417090555.93440-1-thomas.perale@mind.be/mbox/","series":[{"id":500284,"url":"http://patchwork.ozlabs.org/api/1.2/series/500284/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=500284","date":"2026-04-17T09:05:55","name":"[2025.02.x] package/libcap: patch CVE-2026-4878","version":1,"mbox":"http://patchwork.ozlabs.org/series/500284/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224314/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224314/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=OZsGWEpf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxprv0w8Zz1yDF\n\tfor ;\n Fri, 17 Apr 2026 19:06:07 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 6E4BA6081B;\n\tFri, 17 Apr 2026 09:06:05 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id zOzuQqYkraYk; Fri, 17 Apr 2026 09:06:04 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 2A900607C1;\n\tFri, 17 Apr 2026 09:06:04 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 6D729259\n for ; Fri, 17 Apr 2026 09:06:02 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 39A9C80AC6\n for ; Fri, 17 Apr 2026 09:06:01 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id kZKNvrZg4iKM for ;\n Fri, 17 Apr 2026 09:06:00 +0000 (UTC)","from mail-wm1-x336.google.com (mail-wm1-x336.google.com\n [IPv6:2a00:1450:4864:20::336])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 2865D80AF7\n for ; Fri, 17 Apr 2026 09:05:58 +0000 (UTC)","by mail-wm1-x336.google.com with SMTP id\n 5b1f17b1804b1-48334ee0aeaso3915505e9.1\n for ; Fri, 17 Apr 2026 02:05:58 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fc0f82bbsm49446555e9.3.2026.04.17.02.05.55\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 02:05:55 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2A900607C1","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2865D80AF7"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776416764;\n\tbh=ZOqEjvmnGxkTHCE3ej3H0XS78FjVrskIw0O+waIYFH4=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=OZsGWEpfxVWRrCLcQ/QdzsoWwMnNJfR//xdvete4c/MN96IHtbZJwv3UYTvi8w81V\n\t flqfLEJJR1JnXRZkhNgYYs3jLbHI4L0Qdw6CMBsOrQk5mY4fyrm/doIExbmjhQBBQh\n\t YZADY/Yt1k5J8TSHUwVYSqeLDIxQCdLO10OD2y7WWtXNlH0YbB2V6utMfzR9ST+b1Q\n\t zo7Gk9TmsmwFn0BjOiRvkYhnXHEfnutOWLdbVFzgGKlxQEG6/nHelqcE4vekZSnJqq\n\t HobCR1py+vIfKuzf2vvmxxlRg9viz0HNxYhsRuUAfSxEvwUasUyTeZyHwbhClfIo7C\n\t qzbJsTovLDFhw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::336; helo=mail-wm1-x336.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 2865D80AF7","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776416756; x=1777021556;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=a6JvpqSnQKyCTkb75z4fhPcsNMsOJEtlDgQoYFrDldg=;\n b=ED6/a15rL+U9S7RBHg9m1ZitL9x+fwWi5Q2eaOdOb7Yue73b71m1iRFBpwA9M8F10B\n oe3smWHNQQE9FqxrG/3F4N8Zd9bL+UhBsx6sqUXfTO7bCG0duJ+8crzKL98mssqSc0N1\n M87Nu6TimwFvOg3qtCM8e7v2QKPHDfkTn/jB7qZGAO8QDaUeLHzYnPG+7MJmoqqBREq0\n Z+erUxDoCkSzj5YmrMGUgcvgBtgWyO5+ZsQ+KrPfcPNqfe81lGwc75p4+iB4bIS+fupu\n T79YOz3dYPuxX3H1j3mHBBcAFcMYvn9CRP3yN00J7c8Fp/8y/t89IGgDT3F66/MgaZjq\n To0w==","X-Gm-Message-State":"AOJu0YxBgpFDAUuyh0z6DuvnlZwybmpeVxAgFNdg8xcW7JXMidflWai/\n 5j+tNfsCQrzd49bZstbN/2hrNtnSkl73AeARRoxDESIhbrzdOxWmBQrTCqw0W/kikcUMZq5sM1e\n Qu/Cr","X-Gm-Gg":"AeBDieuWYg8f+cstJSVg1ZnjciKdXImAREBqtmc1X9Bi6MWxOCNZybUIW4Cm6jRbAgS\n vVHZ+CtNNbCCjgh4fJhD50PK4bmuIT++TLxcIH74atTFMvIKqA7I5i13JH2TMeU/2STxRdikz0h\n RppUFCvqVjjmW4x5HiUEh0bfYiX1c2h7mGjcQ8fLCgjAX31zEVfAz2Y9PkNOZSJQKq1eoCrSAcw\n phh8hcymFdT39a1pzed+g5NsCc2X7OSLSoMNrosyHlE6Y7iU6DrTxLwXoHc+YprBW3PSQYiEs3/\n Q7tQUrtPcQaSQh08X0Ti93K3jbv6qsVBWnAzUF66qUHTFUg3QwQ1p8rxIQbv/SFzewEWm5tqdPD\n oCr8ZJxt70oC5wV3wR52AbDK/7IbNUR8WKUSz7HqpkjXJ6vcFVgtq6YKFt1rF2TxnI0u1PAXEL9\n 9bFbNgHaImp411RFndu1FT2Oux9yc=","X-Received":"by 2002:a05:600c:5295:b0:485:364e:9328 with SMTP id\n 5b1f17b1804b1-488fb77d12dmr23585865e9.16.1776416756263;\n Fri, 17 Apr 2026 02:05:56 -0700 (PDT)","To":"buildroot@buildroot.org","Cc":"Bernd Kuhls ,\n Thomas Petazzoni ","Date":"Fri, 17 Apr 2026 11:05:55 +0200","Message-ID":"<20260417090555.93440-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776416756; x=1777021556; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=a6JvpqSnQKyCTkb75z4fhPcsNMsOJEtlDgQoYFrDldg=;\n b=WrmBR76cALoM2NkR1dcbC1IhynWDfvkJJ2o5q7j+1z06UF/1phz17/pMQxSXh0+YxD\n R1R/bZqP8b0S/SDPqUp70RtxcWXJMJMjqBaOeaqjZ1Bgci7PfpGr3/SGrgXCBpnTUKUq\n XBwlJ7WsKWdYaFk7XmNbdDKqwx40lOqYwr+kgH/cfF9lYLQwVzM4RqYfL/z24r4VD2zL\n aTo4LgmT9dUkKl82vv0/3ODGMhnHmID7GvLm38p0DQbGnGldLQxrt8VXdzTZhVGc4LAF\n qg6h084foNZMKH42TNZGOeU49TILJdkBt2WerutX0AbVklE5J4Ww0wO9i4cFHT9Vmdf0\n NgRw==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=WrmBR76c"],"Subject":"[Buildroot] [PATCH 2025.02.x] package/libcap: patch CVE-2026-4878","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"Fixes the following vulnerability:\n\n- CVE-2026-4878:\n A flaw was found in libcap. A local unprivileged user can exploit a\n Time-of-check-to-time-of-use (TOCTOU) race condition in the\n `cap_set_file()` function. This allows an attacker with write access\n to a parent directory to redirect file capability updates to an\n attacker-controlled file. By doing so, capabilities can be injected\n into or stripped from unintended executables, leading to privilege\n escalation.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-4878\n - https://security-tracker.debian.org/tracker/CVE-2026-4878\n - https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596\n\nSigned-off-by: Thomas Perale \n---\n ...OCTOU-race-condition-in-cap-set-file.patch | 162 ++++++++++++++++++\n package/libcap/libcap.mk | 3 +\n 2 files changed, 165 insertions(+)\n create mode 100644 package/libcap/0001-Address-a-potential-TOCTOU-race-condition-in-cap-set-file.patch","diff":"diff --git a/package/libcap/0001-Address-a-potential-TOCTOU-race-condition-in-cap-set-file.patch b/package/libcap/0001-Address-a-potential-TOCTOU-race-condition-in-cap-set-file.patch\nnew file mode 100644\nindex 0000000000..7646cac531\n--- /dev/null\n+++ b/package/libcap/0001-Address-a-potential-TOCTOU-race-condition-in-cap-set-file.patch\n@@ -0,0 +1,162 @@\n+From 286ace1259992bd0c5d9016715833f2e148ac596 Mon Sep 17 00:00:00 2001\n+From: \"Andrew G. Morgan\" \n+Date: Thu, 12 Mar 2026 07:38:05 -0700\n+Subject: Address a potential TOCTOU race condition in cap_set_file().\n+\n+This issue was researched and reported by Ali Raza (@locus-x64). It\n+has been assigned CVE-2026-4878.\n+\n+The finding is that while cap_set_file() checks if a file is a regular\n+file before applying or removing a capability attribute, a small\n+window existed after that check when the filepath could be overwritten\n+either with new content or a symlink to some other file. To do this\n+would imply that the caller of cap_set_file() was directing it to a\n+directory over which a local attacker has write access, and performed\n+the operation frequently enough that an attacker had a non-negligible\n+chance of exploiting the race condition. The code now locks onto the\n+intended file, eliminating the race condition.\n+\n+Signed-off-by: Andrew G. Morgan \n+CVE: CVE-2026-4878\n+Upstream: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596\n+Signed-off-by: Thomas Perale \n+---\n+ libcap/cap_file.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++--------\n+ progs/quicktest.sh | 14 ++++++++++-\n+ 2 files changed, 72 insertions(+), 11 deletions(-)\n+\n+diff --git a/libcap/cap_file.c b/libcap/cap_file.c\n+index 0bc07f7..f02bf9f 100644\n+--- a/libcap/cap_file.c\n++++ b/libcap/cap_file.c\n+@@ -8,8 +8,13 @@\n+ #define _DEFAULT_SOURCE\n+ #endif\n+ \n++#ifndef _GNU_SOURCE\n++#define _GNU_SOURCE\n++#endif\n++\n+ #include \n+ #include \n++#include \n+ #include \n+ #include \n+ \n+@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d)\n+ struct vfs_ns_cap_data rawvfscap;\n+ int sizeofcaps;\n+ struct stat buf;\n++ char fdpath[64];\n++ int fd, ret;\n++\n++ _cap_debug(\"setting filename capabilities\");\n++ fd = open(filename, O_RDONLY|O_NOFOLLOW);\n++ if (fd >= 0) {\n++\tret = cap_set_fd(fd, cap_d);\n++\tclose(fd);\n++\treturn ret;\n++ }\n+ \n+- if (lstat(filename, &buf) != 0) {\n+-\t_cap_debug(\"unable to stat file [%s]\", filename);\n++ /*\n++ * Attempting to set a file capability on a file the process can't\n++ * read the content of. This is considered a non-standard use case\n++ * and the following (slower) code is complicated because it is\n++ * trying to avoid a TOCTOU race condition.\n++ */\n++\n++ fd = open(filename, O_PATH|O_NOFOLLOW);\n++ if (fd < 0) {\n++\t_cap_debug(\"cannot find file at path [%s]\", filename);\n++\treturn -1;\n++ }\n++ if (fstat(fd, &buf) != 0) {\n++\t_cap_debug(\"unable to stat file [%s] descriptor %d\",\n++\t\t filename, fd);\n++\tclose(fd);\n+ \treturn -1;\n+ }\n+ if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {\n+-\t_cap_debug(\"file [%s] is not a regular file\", filename);\n++\t_cap_debug(\"file [%s] descriptor %d for non-regular file\",\n++\t\t filename, fd);\n++\tclose(fd);\n+ \terrno = EINVAL;\n+ \treturn -1;\n+ }\n+ \n+- if (cap_d == NULL) {\n+-\t_cap_debug(\"removing filename capabilities\");\n+-\treturn removexattr(filename, XATTR_NAME_CAPS);\n++ /*\n++ * While the fd remains open, this named file is locked to the\n++ * origin regular file. The size of the fdpath variable is\n++ * sufficient to support a 160+ bit number.\n++ */\n++ if (snprintf(fdpath, sizeof(fdpath), \"/proc/self/fd/%d\", fd)\n++\t>= sizeof(fdpath)) {\n++\t_cap_debug(\"file descriptor too large %d\", fd);\n++\terrno = EINVAL;\n++\tret = -1;\n++\n++ } else if (cap_d == NULL) {\n++\t_cap_debug(\"dropping file caps on [%s] via [%s]\",\n++\t\t filename, fdpath);\n++\tret = removexattr(fdpath, XATTR_NAME_CAPS);\n++\n+ } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {\n+-\treturn -1;\n+- }\n++\t_cap_debug(\"problem converting cap_d to vfscap format\");\n++\tret = -1;\n+ \n+- _cap_debug(\"setting filename capabilities\");\n+- return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);\n++ } else {\n++\t_cap_debug(\"setting filename capabilities\");\n++\tret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,\n++\t\t sizeofcaps, 0);\n++ }\n++ close(fd);\n++ return ret;\n+ }\n+ \n+ /*\n+diff --git a/progs/quicktest.sh b/progs/quicktest.sh\n+index e6c48e6..5dc72f9 100755\n+--- a/progs/quicktest.sh\n++++ b/progs/quicktest.sh\n+@@ -148,7 +148,19 @@ pass_capsh --caps=\"cap_setpcap=p\" --inh=cap_chown --current\n+ pass_capsh --strict --caps=\"cap_chown=p\" --inh=cap_chown --current\n+ \n+ # change the way the capability is obtained (make it inheritable)\n++chmod 0000 ./privileged\n+ ./setcap cap_setuid,cap_setgid=ei ./privileged\n++if [ $? -ne 0 ]; then\n++ echo \"FAILED to set file capability\"\n++ exit 1\n++fi\n++chmod 0755 ./privileged\n++ln -s privileged unprivileged\n++./setcap -r ./unprivileged\n++if [ $? -eq 0 ]; then\n++ echo \"FAILED by removing a capability from a symlinked file\"\n++ exit 1\n++fi\n+ \n+ # Note, the bounding set (edited with --drop) only limits p\n+ # capabilities, not i's.\n+@@ -246,7 +258,7 @@ EOF\n+ pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid'\n+ fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid'\n+ fi\n+-/bin/rm -f ./privileged\n++/bin/rm -f ./privileged ./unprivileged\n+ \n+ echo \"testing namespaced file caps\"\n+ \n+-- \n+cgit 1.3-korg\n+\ndiff --git a/package/libcap/libcap.mk b/package/libcap/libcap.mk\nindex 25b3a46c44..b0ce257a5a 100644\n--- a/package/libcap/libcap.mk\n+++ b/package/libcap/libcap.mk\n@@ -11,6 +11,9 @@ LIBCAP_LICENSE = GPL-2.0 or BSD-3-Clause\n LIBCAP_LICENSE_FILES = License\n LIBCAP_CPE_ID_VALID = YES\n \n+# 0001-Address-a-potential-TOCTOU-race-condition-in-cap-set-file.patch\n+LIBCAP_IGNORE_CVES += CVE-2026-4878\n+\n LIBCAP_DEPENDENCIES = host-gperf\n LIBCAP_INSTALL_STAGING = YES\n \n","prefixes":["2025.02.x"]}