An out-of-bounds (OOB) read vulnerability has been detected in
Development version - master branch (Jan 10, 2020)
cap_to_text() function on
cap_text.c performs a call to
getstateflags(caps, n) [line 255].
getstateflags(cap_t caps, int capno) is called,
capno is equal to
isset_cap((__cap_s *)(&caps->set.inheritable),capno) will expand to
&((__cap_s *)(&caps->set.inheritable))->_blk[(37)>>5], thus accessing
caps->set.inheritable which is outside of
caps struct bounds (
0x603000001af7 in our example). Image 1: Debug information
As a result, OOB reads occur which result in access to memory outside of the boundaries of the
cap_t struct instance.
Due to the relative offsets of the
inheritable members in the
caps struct, this bug does not affect
set.permitted. Image 2: Caps struct members
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" LDFLAGS="-fsanitize=address,undefined" ./configure
LDFLAGS="-fsanitize=address,undefined" make -j4
# ./proftpd -n -c /home/antonio/Downloads/GCOV-proftpd/sample-configurations/basic.conf -d 10 -X
USER XXXX\r\nPASS XXXX\r\n)
This issue may lead to Post-Auth OOB-Read
The vulnerability was fixed by updating the libcap bundled, and to rely on the system libpcap. More information on this issue
This report was subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-YEAR-ID in any communication regarding this issue.