CVE-2021-45707

Name of the Vulnerable Software and Affected Versions: nix crate versions 0.16.0 through 0.20.1 nix crate versions 0.21.x before 0.21.2 nix crate versions 0.22.x before 0.22.2

Description: An issue was discovered in the nix crate where the nix::unistd::getgrouplist function can call the libc getgrouplist function with a length parameter greater than the size of the buffer it provides, resulting in an out-of-bounds write and memory corruption. This occurs when a user has more than 16 groups. The libc getgrouplist function takes an in/out parameter ngroups specifying the size of the group buffer. If the buffer is too small to hold all of the requested user's group memberships, some libc implementations will modify ngroups to indicate the actual number of groups for the user, in addition to returning an error. The issue would require editing /etc/groups to exploit, which is usually only editable by the root user.

Recommendations: For nix crate versions 0.16.0 through 0.20.1, update to version 0.20.2 or later. For nix crate versions 0.21.x before 0.21.2, update to version 0.21.2 or later. For nix crate versions 0.22.x before 0.22.2, update to version 0.22.2 or later. As a temporary workaround, consider restricting the number of groups a user can be a part of to prevent the out-of-bounds write.