Summary: | 32 bits uid/gid overflow | ||
---|---|---|---|
Product: | glibc | Reporter: | Aurelien Jarno <aurelien> |
Component: | libc | Assignee: | Ulrich Drepper <drepper.fsp> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | debian-glibc, fweimer, glibc-bugs |
Priority: | P2 | Flags: | fweimer:
security-
|
Version: | unspecified | ||
Target Milestone: | --- | ||
Host: | x86_64-unknown-linux-gnu | Target: | x86_64-unknown-linux-gnu |
Build: | x86_64-unknown-linux-gnu | Last reconfirmed: |
I'm changing this only to align 32-bit and 4-bit platforms. Otherwise it is a sysadmin problem. The bogus UID or GID number has to come from a trusted configuration file, so I'm marking this security-. |
uid/gid use 32 bits integer and if a uid/gid is set bigger than (2^32)-1 on a 64-bit system, there is an overflow: # echo "toto:x:4294967296:4294967296:Fake root:/home/linus:/bin/bash" >> /etc/passwd # id toto uid=0(root) gid=0(root) groupes=0(root) This is due to the use of strtoul() to parse the uid/gid value, followed by a cast to an int without any check.