On 05/22/2013 11:02 AM, Eric Blake wrote: >>> + /* Figure out what size list to expect */ >>> + getgrouplist(pwd.pw_name, gid, groups, &ngroups); >> >> Do we need to be concerned about the "BUGS" info in the manpage? >> >> BUGS >> In glibc versions before 2.3.3, the implementation of >> this function contains a buffer-overrun bug: it returns >> the complete list of groups for user in the array >> groups, even when the number of groups exceeds *ngroups. >> >> Is anyone running that vintage of glibc? It sounds *kind of* like it >> could hit that if ngroups is 0 (but doesn't specifically say that). > > So I did some digging, and gnulib has an 'mgetgroups' module > (unfortunately GPL, but maybe I could get it relaxed if we wanted to use > that instead) > > I'll do a v2 that either works around the bug, or which delegates to the > gnulib module (depending on response on the gnulib list about a license > relax request). Gnulib just relaxed the license[1]; I'll be respinning this patch to pull in the gnulib module instead. [1] http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=shortlog;h=612ef3f7 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list