From 2dfcc54db8f0f13e8f66c549278235b3377ac5ce Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffbencteux@gmail.com>
Date: Thu, 26 Sep 2024 12:31:10 +0200
Subject: [PATCH] [PATCH] Fix unchecked return value of initgroups() plugin
 (#11856)

The patches have beem merged into one.

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/apache/trafficserver/pull/11855
Origin: https://github.com/apache/trafficserver/pull/11872
Bug: https://github.com/advisories/GHSA-6j2p-q7p9-hmxw
Bug-Debian: https://bugs.debian.org/1087531
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-50306
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-50306

Gbp-Pq: Name CVE-2024-50306.patch
---
 src/tscore/ink_cap.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
index 7c53050c..1c64091b 100644
--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
@@ -160,7 +160,11 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
 #endif
 
   // Always repopulate the supplementary group list for the new user.
-  initgroups(pwd->pw_name, pwd->pw_gid);
+  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
+    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+    }
+  }
 
   switch (level) {
   case IMPERSONATE_PERMANENT:
-- 
2.30.2