Advisories for Cargo/Users package

2025

Duplicate Advisory: users may append `root` to group listings

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m65q-v92h-cm7q. This link is maintained to preserve external references. Original Description A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

users may append `root` to group listings

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups. This affects both: The supplementary groups of a user The group access list of the current process If the caller uses this information for access control, this may lead to privilege escalation. This crate is not currently maintained, so a patched version is not available. Versions older than 0.8.0 do not contain the affected functions, …

users may append `root` to group listings

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups. This affects both: The supplementary groups of a user The group access list of the current process If the caller uses this information for access control, this may lead to privilege escalation. This crate is not currently maintained, so a patched version is not available. Versions older than 0.8.0 do not contain the affected functions, …

2023

Users vulnerable to unaligned read of `*const *const c_char` pointer

Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibility of working correctly in some architectures. The crate is not currently maintained, so a patched version is not available.