Hi, On Wed, Dec 08, 2021 at 12:11:28PM +0000, Thorsten Glaser wrote: > Michael Meskes dixit: > > >I did some more testing and it seems this simple patch fixes the issue: > > I think you should still include a setgroups(0, NULL) call there. > > Personally I’d prefer setres[ug]id() because that makes the intent > more explicit even when the effect is the same, but… I’ll let you > and the security team decide.
Gentle bump for this issue. Also shouldn't patching out setusercontext and having no substitute get a CVE? >:) calendar.c forks, so there is no need to regain privileges post setuid(). I'm kinda with tg in that setres[ug]id() makes the intent clearer instead of relying on uid==0 behavior. Kind regards Philipp Kern
