Last week while reviewing a shadow-utils PR I discovered a very suspicious issue reported by CodeQL in a part of the that hand’t been changed in 12 years. It seemed like an easy attack vector by a malicious actor, who could run any process while executing the newgrp command by simply changing an environmental variable. If true, many distributions would be affected by this problem. So I asked our product security team to review the problem and open a CVE (CVE-2023-0634).

Fortunately for us, it all turned out to be just a big fright. The newgrp is intended to execute the command, but it will not execute anything privileged because there are already protections in place (setgid) to disable any malicious intent.