The sgetsgent function checks errno for ERANGE, but sgetsgent_r only returns ERANGE, but does not set errno to ERANGE. As a result, sgetsgent does not detect failure at all, and returns indicating success without filling in the struct sgrp result. This bug is somewhat similar in effect as bug 20338, but the root cause is quite different.
Not labeling as a security bug because /etc/gshadow contents (to which this data relates) is trusted data.
Patch posted: [PATCH] gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling (bug 30151) <https://sourceware.org/pipermail/libc-alpha/2023-February/145752.html>
Fixed for 2.38 via: commit 969e9733c7d17edf1e239a73fa172f357561f440 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Feb 21 09:20:28 2023 +0100 gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling (bug 30151) Before this change, sgetsgent_r did not set errno to ERANGE, but sgetsgent only check errno, not the return value from sgetsgent_r. Consequently, sgetsgent did not detect any error, and reported success to the caller, without initializing the struct sgrp object whose address was returned. This commit changes sgetsgent_r to set errno as well. This avoids similar issues in applications which only change errno. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>