Libcap is a library for getting and setting POSIX.1e draft 15 capabilities. The 26 year old project is maintained by Andrew G Morgan, a dedicated FOSS community member who was a joy to work with.
Identified in the process of this audit were 2 vulnerabilities, one medium (CVE-2023-2603) and one low (CVE-2023-2602) severity, which guided the customization of multiple fuzz test harnesses for the project. X41 found that the libcap library necessitated the use of AFL++ fuzzing due to the memory corruption vulnerabilities commonly found in C. This was performed in coordination with ASAN (address space sanitizers). The found low severity vulnerability was in fact memory leak related, and the medium had to do with integer overflow on 32bit systems with a specific byte size. These were both addressed before publication of this blog.
“I would very much like to thank the OSTIF and X41 D-Sec for organizing and completing a thorough and timely audit of the libcap project code. The written audit report is well structured, clear and insightful and I’m happy that libcap-2.69 has addressed the issues it has uncovered.” -Andrew G. Morgan
OSTIF would like to thank X41 D-sec for their hard work and perpetual dedication to FOSS security. Their blog can be found here with further details of this project. We extend our gratitude to Amazon Web Services for their sponsorship of this audit and by extension, important security work being performed in open source.
The full audit report can be found here: https://ostif.org/wp-content/uploads/2023/05/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf