On Wed, Apr 01, 2026 at 10:40:01PM +0200, Aurelien Jarno wrote: > Package: uidmap > Version: 1:4.18.0-2 > Severity: important > Tags: patch > X-Debbugs-Cc: [email protected], [email protected], > [email protected] > Control: affects -1 sbuild > > Hi, > > Since version 0.91.6, sbuild started to use getsubids to parse > /etc/subgid [1]. The format of this file is supposed to be [2]: > > login name or UID : numerical subordinate group ID : numerical subordinate > group ID count > > Unfortunately getsubids parses it as login name or *GID*. This breaks > when this file contains UID and when UID != GID: > > $ id buildd > uid=2952(buildd) gid=1009(buildd) groupes=1009(buildd),115(sbuild) > $ grep 2952 /etc/subgid > 2952:193462272:65536 > $ getsubids -g buildd > Error fetching ranges > > Fortunately it seems that newgidmap parses the file correctly, so this > is not a security issue. > > The following untested patch should fix the issue (which means that > get_owner_id() can be simplified as this is the only caller: >
Indeed, thanks for the patch and catching that. Reviewed-by: Serge Hallyn <[email protected]> Not sure what the flow from here is. Would you mind sending a patch to upstream at https://github.com/shadow-maint/shadow, or, if you prefer not to, should I forward it? I can see about preparing a shadow package for debian with this fix and having Chris sponsor it, unless (my preference) he wants to prepare it himself. thanks, -serge > --- shadow-4.19.3.orig/lib/subordinateio.c > +++ shadow-4.19.3/lib/subordinateio.c > @@ -908,7 +908,7 @@ int list_owner_ranges(const char *owner, > return -1; > } > > - have_owner_id = get_owner_id(owner, id_type, id); > + have_owner_id = get_owner_id(owner, ID_TYPE_UID, id); > > commonio_rewind(db); > while (NULL != (range = commonio_next(db))) { > > Regards > Aurelien > > [1] > https://salsa.debian.org/debian/sbuild/-/commit/590c06cd5a76b6758606cc30fea075816edda468 > [2] https://manpages.debian.org/unstable/passwd/subgid.5.en.html > > _______________________________________________ > Pkg-shadow-devel mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel _______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
