Several initgroups() return values are not checked in inetutils programs. Others simply do not call initgroups() while relinquishing privileges.
I found the following occurences of these issues: * inetd, uucpd, rshd, ftpd: missing return value check * tftpd: missing call This concern was raised by Alexander Peslyak on the oss-security mailing list: https://www.openwall.com/lists/oss-security/2023/12/30/2 This is indeed a security issue as these programs may not drop supplementary groups ownerships and a potential arbitrary code execution in subsequent code could lead to privilege escalation. POSIX have a rule related to this: https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges I am attaching a patch to both add the missing initgroups() return value checks and calls where needed for inetd, uucpd, rshd, ftpd and tftpd. Regards, -- Jeffrey BENCTEUX
0001-inetd-uucpd-rshd-ftpd-tftpd-fix-check-initgroups-ret.patch
Description: Binary data
