Hi Serge, On Wed, Apr 01, 2026 at 04:16:28PM -0500, Serge E. Hallyn wrote: > On Wed, Apr 01, 2026 at 10:40:01PM +0200, Aurelien Jarno wrote: > > Since version 0.91.6, sbuild started to use getsubids to parse > > /etc/subgid [1]. The format of this file is supposed to be [2]: > > > > login name or UID : numerical subordinate group ID : numerical > > subordinate group ID count > > > > Unfortunately getsubids parses it as login name or *GID*. This breaks > > when this file contains UID and when UID != GID: > > > > $ id buildd > > uid=2952(buildd) gid=1009(buildd) groupes=1009(buildd),115(sbuild) > > $ grep 2952 /etc/subgid > > 2952:193462272:65536 > > $ getsubids -g buildd > > Error fetching ranges > > > > Fortunately it seems that newgidmap parses the file correctly, so this > > is not a security issue. > > > > The following untested patch should fix the issue (which means that > > get_owner_id() can be simplified as this is the only caller: > > > > Indeed, thanks for the patch and catching that. > > Reviewed-by: Serge Hallyn <[email protected]> > > Not sure what the flow from here is. Would you mind sending a > patch to upstream at https://github.com/shadow-maint/shadow, > or, if you prefer not to, should I forward it?
Could you take care of the upstream part? > I can see about preparing a shadow package for debian with this fix > and having Chris sponsor it, unless (my preference) he wants to > prepare it himself. I understand this is problematic for the Debian build infrastructure, so I'll apply the patch in Debian now directly. Best, Chris
