The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory.
Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=661 Upstream commit: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2e6a02d832158ac81d1ecceff1834455633d58bd
This is an ancient bug that never affected any of the currently supported Red Hat Enterprise Linux versions. Additionally, its impact seems very limited as the problem was triggered by having getgrouplist() called with ngroups argument of 0. This is unlikely use case. This argument is likely to be hard-coded in programs, rather than taking a value from an untrusted source.
In reply to comment #2: > Additionally, its impact seems very limited as the problem was triggered by > having getgrouplist() called with ngroups argument of 0. This is unlikely > use case. To clarify, this would be a valid way to probe how big the size of the groups array should be. This would, however, trigger out of bounds access during probing, regardless of whether it was malicious or non-malicious use case. This seems more of a bug than a security issue.