- Reported
-
- Issued
-
- Package
-
users
(crates.io)
- Type
-
Vulnerability
- Categories
-
- References
-
- Patched
-
no patched versions
- Unaffected
-
Description
Affected versions append root to group listings, unless the correct listing
has exactly 1024 groups.
This affects both:
- The supplementary groups of a user
- The group access list of the current process
If the caller uses this information for access control, this may lead to
privilege escalation.
This crate is not currently maintained, so a patched version is not available.
Versions older than 0.8.0 do not contain the affected functions, so downgrading
to them is a workaround.
Recommended alternatives
uzers (an actively maintained fork of the users crate)sysinfo
Advisory available under CC0-1.0
license.