Uutils Coreutils id Utility Incorrect UID Handling Vulnerability

A vulnerability exists in the id utility of uutils coreutils, where the 'pretty print' output is inaccurate when the real UID and effective UID differ. The issue arises because the implementation mistakenly uses the effective GID for name lookups of the effective user, leading to misleading diagnostic information. This can cause automated scripts or system administrators to misinterpret file permissions or access control. The vulnerability affects uutils coreutils id command versions prior to the fix in the linked pull request.

Impact

This vulnerability can lead to incorrect user ID and group ID information being displayed, causing potential mismanagement of file permissions and access controls.

Reproduction

The vulnerability can be reproduced by changing the effective user ID and effective group ID using the setpriv command, and then running the id command. The output will incorrectly reflect the group information by using the effective GID instead of the effective UID, especially when the real and effective UIDs differ.

Remediation

Users can update to the latest version of uutils coreutils, where this issue has been addressed.