{"id":"RUSTSEC-2021-0119","summary":"Out-of-bounds write in nix::unistd::getgrouplist","details":"On certain platforms, if a user has more than 16 groups, the\n`nix::unistd::getgrouplist` function will call the libc `getgrouplist`\nfunction with a length parameter greater than the size of the buffer it\nprovides, resulting in an out-of-bounds write and memory corruption.\n\nThe libc `getgrouplist` function takes an in/out parameter `ngroups`\nspecifying the size of the group buffer. When the buffer is too small to\nhold all of the requested user's group memberships, some libc\nimplementations, including glibc and Solaris libc, will modify `ngroups`\nto indicate the actual number of groups for the user, in addition to\nreturning an error. The version of `nix::unistd::getgrouplist` in nix\n0.16.0 and up will resize the buffer to twice its size, but will not\nread or modify the `ngroups` variable. Thus, if the user has more than\ntwice as many groups as the initial buffer size of 8, the next call to\n`getgrouplist` will then write past the end of the buffer.\n\nThe issue would require editing /etc/groups to exploit, which is usually\nonly editable by the root user.","aliases":["CVE-2021-45707","GHSA-76w9-p8mg-j927","GHSA-wgrg-5h56-jg27"],"modified":"2023-11-08T04:07:23.055467Z","published":"2021-09-27T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/nix"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0119.html"},{"type":"REPORT","url":"https://github.com/nix-rust/nix/issues/1541"}],"affected":[{"package":{"name":"nix","ecosystem":"crates.io","purl":"pkg:cargo/nix"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.16.0"},{"fixed":"0.20.2"},{"introduced":"0.21.0-0"},{"fixed":"0.21.2"},{"introduced":"0.22.0-0"},{"fixed":"0.22.2"},{"introduced":"0.23.0-0"},{"fixed":"0.23.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["nix::unistd::getgrouplist"],"arch":[],"os":["linux","freebsd","android","netbsd","dragonfly","openbsd","fuchsia"]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0119.json","informational":null,"categories":["memory-corruption"],"cvss":null}}],"schema_version":"1.7.3"}