From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Mon, 17 Feb 2025 10:31:55 +0800
Subject: pam_cap: Fix potential configuration parsing error

The current configuration parsing does not actually skip user names
that do not start with @, but instead treats the name as a group
name for further parsing, which can result in matching unexpected
capability sets and may trigger potential security issues.  Only
names starting with @ should be parsed as group names.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878]
CVE: CVE-2025-1390
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 pam_cap/pam_cap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index b9419cb..18647a1 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
 
 	    if (line[0] != '@') {
 		D(("user [%s] is not [%s] - skipping", user, line));
+		continue;
 	    }
 
 	    int i;
-- 
2.25.1