GHSA-wgrg-5h56-jg27: 
Rust vulnerability analysis and mitigation

An out-of-bounds write vulnerability was discovered in the nix crate versions 0.16.0 and later before 0.20.2, 0.21.x before 0.21.2, and 0.22.x before 0.22.2 for Rust. The vulnerability affects the unistd::getgrouplist function when a user is in more than 16 /etc/groups groups. This security issue was reported on September 27, 2021, and was assigned CVE-2021-45707 with a CVSS v3.1 base score of 9.8 (Critical) (NVD, RustSec).

The vulnerability stems from the nix::unistd::getgrouplist function's interaction with the libc getgrouplist function. The libc function takes an in/out parameter ngroups specifying the size of the group buffer. When the buffer is too small, certain libc implementations (including glibc and Solaris libc) modify ngroups to indicate the actual number of groups while returning an error. The nix implementation resizes the buffer to twice its size but fails to update the ngroups variable accordingly. This mismatch between the buffer capacity and ngroups value leads to an out-of-bounds write when the user has more than twice as many groups as the initial buffer size of 8 (GitHub Advisory).

The vulnerability can result in memory corruption, potential segmentation faults, and allocator corruption when destroying the Vec buffer. This leads to undefined behavior in the affected systems. The severity is rated as Critical with a CVSS v3.1 base score of 9.8, indicating the potential for high impact on system security (NVD).

The vulnerability has been patched in versions 0.20.2, 0.21.2, 0.22.2, and all versions from 0.23.0 onwards. Users should upgrade to these patched versions to mitigate the vulnerability. The fix involves properly updating the ngroups parameter to match the buffer's capacity in each loop iteration (RustSec).