FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Incorrect libcap_net limitation list manipulation

Affected packages
13.2 <= FreeBSD < 13.2_5


VuXML ID f4464e49-7e04-11ee-8e38-002590c1f29c
Discovery 2023-11-08
Entry 2023-11-08

Problem Description:

Casper services allow limiting operations that a process can perform. Each service maintains a specific list of permitted operations. Certain operations can be further restricted, such as specifying which domain names can be resolved. During the verification of limits, the service must ensure that the new set of constraints is a subset of the previous one. In the case of the cap_net service, the currently limited set of domain names was fetched incorrectly.


In certain scenarios, if only a list of resolvable domain names was specified without setting any other limitations, the application could submit a new list of domains including include entries not previously in the list.


CVE Name CVE-2023-5978
FreeBSD Advisory SA-23:16.cap_net