Bug 9706

Summary: 32 bits uid/gid overflow
Product: glibc Reporter: Aurelien Jarno <aurelien>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED FIXED    
Severity: normal CC: debian-glibc, fweimer, glibc-bugs
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: x86_64-unknown-linux-gnu Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu Last reconfirmed:

Description Aurelien Jarno 2009-01-04 10:56:47 UTC
uid/gid use 32 bits integer and if a uid/gid is set bigger than (2^32)-1 on a 
64-bit system, there is an overflow:

# echo "toto:x:4294967296:4294967296:Fake root:/home/linus:/bin/bash" 
>> /etc/passwd
# id toto
uid=0(root) gid=0(root) groupes=0(root)

This is due to the use of strtoul() to parse the uid/gid value, followed by a 
cast to an int without any check.
Comment 1 Ulrich Drepper 2009-01-09 04:27:58 UTC
I'm changing this only to align 32-bit and 4-bit platforms.  Otherwise it is a
sysadmin problem.
Comment 2 Florian Weimer 2014-07-02 07:21:29 UTC
The bogus UID or GID number has to come from a trusted configuration file, so I'm marking this security-.