Bug 2370001 (CVE-2025-5791, RUSTSEC-2025-0040)

Summary: CVE-2025-5791 users: `root` appended to group listings
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dbosanac, jreimann, mdessi, mrizzi, pcattana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2370605, 2370606, 2370604    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-03 13:02:48 UTC 
Affected versions append `root` to group listings, unless the correct listing
has exactly 1024 groups.

This affects both:

- The supplementary groups of a user
- The group access list of the current process

If the caller uses this information for access control, this may lead to
privilege escalation.

This crate is not currently maintained, so a patched version is not available.

Versions older than 0.8.0 do not contain the affected functions, so downgrading
to them is a workaround.

## Recommended alternatives
- [`uzers`](https://crates.io/crates/uzers) (an actively maintained fork of the `users` crate)
- [`sysinfo`](https://crates.io/crates/sysinfo)
Comment 2 Jens Reimann 2025-06-03 14:29:48 UTC 
We're not using the `users` crate:

```
➜  trustify git:(main) cargo tree -i users
error: package ID specification `users` did not match any packages

help: a package with a similar name exists: `aes`
```