Hi, On 2026-04-01 16:16, Serge E. Hallyn wrote: > On Wed, Apr 01, 2026 at 10:40:01PM +0200, Aurelien Jarno wrote: > > Package: uidmap > > Version: 1:4.18.0-2 > > Severity: important > > Tags: patch > > X-Debbugs-Cc: [email protected], [email protected], > > [email protected] > > Control: affects -1 sbuild > > > > Hi, > > > > Since version 0.91.6, sbuild started to use getsubids to parse > > /etc/subgid [1]. The format of this file is supposed to be [2]: > > > > login name or UID : numerical subordinate group ID : numerical > > subordinate group ID count > > > > Unfortunately getsubids parses it as login name or *GID*. This breaks > > when this file contains UID and when UID != GID: > > > > $ id buildd > > uid=2952(buildd) gid=1009(buildd) groupes=1009(buildd),115(sbuild) > > $ grep 2952 /etc/subgid > > 2952:193462272:65536 > > $ getsubids -g buildd > > Error fetching ranges > > > > Fortunately it seems that newgidmap parses the file correctly, so this > > is not a security issue. > > > > The following untested patch should fix the issue (which means that > > get_owner_id() can be simplified as this is the only caller: > > > > Indeed, thanks for the patch and catching that. > > Reviewed-by: Serge Hallyn <[email protected]> > > Not sure what the flow from here is. Would you mind sending a > patch to upstream at https://github.com/shadow-maint/shadow, > or, if you prefer not to, should I forward it?
The patch doesn't apply upstream as that part of the code got completely changes, and at a first glance, it looks like the issue got fixed at the same time. The question now is do you prefer to backport the changes from upstream, or patch the debian version until a new version is released upstream. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net _______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
