rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Report incorrect group information in users

Browse Source
This commit is contained in:
Daniel Thwaites
2025-06-02 14:50:41 +01:00
committed by Dirkjan Ochtman
parent d3b9244290
commit 0c55633e33
1 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
crates/users/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,34 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "users"
date = "2025-01-15"
url = "https://github.com/ogham/rust-users/issues/44"
categories = ["privilege-escalation"]
[versions]
patched = []
unaffected = ["< 0.8.0"]
```
# `root` appended to group listings
Affected versions append `root` to group listings, unless the correct listing
has exactly 1024 groups.
This affects both:
- The supplementary groups of a user
- The group access list of the current process
If the caller uses this information for access control, this may lead to
privilege escalation.
This crate is not currently maintained, so a patched version is not available.
Versions older than 0.8.0 do not contain the affected functions, so downgrading
to them is a workaround.
## Recommended alternatives
- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate)
- [`sysinfo`](https://crates.io/crates/sysinfo)