Skip to content

Report incorrect group information in users #2190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 3, 2025
Merged

Report incorrect group information in users #2190

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions crates/users/RUSTSEC-0000-0000.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "users"
date = "2025-01-15"
url = "https://github.com/ogham/rust-users/issues/44"
categories = ["privilege-escalation"]

[versions]
patched = []
unaffected = ["< 0.8.0"]
```

# `root` appended to group listings

Affected versions append `root` to group listings, unless the correct listing
has exactly 1024 groups.

This affects both:

- The supplementary groups of a user
- The group access list of the current process

If the caller uses this information for access control, this may lead to
privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading
to them is a workaround.

## Recommended alternatives
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I think we have to be a bit careful in our wording here. Suggest to replace "Recommended" with "Potential".

(Also, would be nice to add an empty line after the section title.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section was copied word-for-word from the previous report on users

- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate)
- [`sysinfo`](https://crates.io/crates/sysinfo)