Headline
CVE-2023-0634: Call NULL by its name by alejandro-colomar · Pull Request #642 · shadow-maint/shadow
An uncontrolled process operation was found in the newgrp command provided by the shadow-utils package. This issue could cause the execution of arbitrary code provided by a user when running the newgrp command.
Copy link
Contributor
**
alejandro-colomar commented
Feb 1, 2023
**
In variadic functions we still do the cast. In POSIX, it’s not necessary, since NULL is required to be of type 'void *’, and ‘void *’ is guaranteed to have the same alignment and representation as 'char *’. However, since ISO C still doesn’t mandate that, and moreover they’re doing dubious stuff by adding nullptr, let’s be on the cautious side. Also, C++ requires that NULL is not 'void *’, but either plain 0 or some magic stuff.
Signed-off-by: Alejandro Colomar alx@kernel.org