[Pkg-shadow-devel] Bug#1132509: Bug#1132509: uidmap: getsubids look up /etc/subgid by gid instead of uid when using numerical values

Aurelien Jarno aurel32 at debian.org
Thu Apr 2 18:51:15 BST 2026 

Hi,

On 2026-04-01 16:16, Serge E. Hallyn wrote:
> On Wed, Apr 01, 2026 at 10:40:01PM +0200, Aurelien Jarno wrote:
> > Package: uidmap
> > Version: 1:4.18.0-2
> > Severity: important
> > Tags: patch
> > X-Debbugs-Cc: dsa at debian.org, wb-team at buildd.debian.org, sbuild at packages.debian.org
> > Control: affects -1 sbuild
> > 
> > Hi,
> > 
> > Since version 0.91.6, sbuild started to use getsubids to parse
> > /etc/subgid [1]. The format of this file is supposed to be [2]:
> > 
> >   login name or UID : numerical subordinate group ID : numerical subordinate group ID count
> > 
> > Unfortunately getsubids parses it as login name or *GID*. This breaks
> > when this file contains UID and when UID != GID:
> > 
> > $ id buildd
> > uid=2952(buildd) gid=1009(buildd) groupes=1009(buildd),115(sbuild)
> > $ grep 2952 /etc/subgid 
> > 2952:193462272:65536
> > $ getsubids -g buildd
> > Error fetching ranges
> > 
> > Fortunately it seems that newgidmap parses the file correctly, so this
> > is not a security issue.
> > 
> > The following untested patch should fix the issue (which means that
> > get_owner_id() can be simplified as this is the only caller:
> > 
> 
> Indeed, thanks for the patch and catching that.
> 
> Reviewed-by: Serge Hallyn <serge at hallyn.com>
> 
> Not sure what the flow from here is.  Would you mind sending a
> patch to upstream at https://github.com/shadow-maint/shadow,
> or, if you prefer not to, should I forward it?

The patch doesn't apply upstream as that part of the code got completely 
changes, and at a first glance, it looks like the issue got fixed at the 
same time.

The question now is do you prefer to backport the changes from upstream, 
or patch the debian version until a new version is released upstream.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                     http://aurel32.net

More information about the Pkg-shadow-devel mailing list