lsd icon indicating copy to clipboard operation
lsd copied to clipboard
verified publisher icon lsd-rs

VUL-0: CVE-2025-5791: lsd: users: `root` appended to group listings

Open DeadMozay opened this issue 10 months ago • 0 comments

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.

This affects both:

  • The supplementary groups of a user
  • The group access list of the current process

If the caller uses this information for access control, this may lead to privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.

Recommended alternatives

  • uzers (an actively maintained fork of the users crate)
  • sysinfo

References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-5791 https://bugzilla.redhat.com/show_bug.cgi?id=2370001

DeadMozay avatar Jun 11 '25 03:06 DeadMozay