Uutils Coreutils Id Utility Group Miscalculation Vulnerability

A vulnerability exists in the id utility of uutils coreutils, where it incorrectly calculates the groups section of its output. The issue arises because the implementation uses a user's real GID instead of the effective GID, leading to discrepancies compared to GNU coreutils. This miscalculation can cause security-critical scripts and automated processes to make flawed access-control or permission decisions, potentially resulting in unauthorized access or security misconfigurations.

Impact

This vulnerability can lead to incorrect group information being displayed, causing inconsistencies in permission and access-control decisions based on the id command's output. Such discrepancies can create security vulnerabilities by allowing unauthorized access or misconfiguring security settings.

Reproduction

The vulnerability can be reproduced by changing the effective group ID and then running the uutils id command. The output will incorrectly reflect the group information, showing the real GID instead of the effective GID. This can be tested by using the setpriv command to manipulate the user and group IDs, and then calling the id command with the appropriate flags to observe the incorrect output.

Remediation

Users can switch to GNU coreutils to avoid this vulnerability, as the issue does not exist in that version.