CVE-2019-15901

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-15901

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-15901.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-15901

Published

2019-10-18T16:15:10.320Z

Modified

2025-11-14T09:17:59.955408Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. A setusercontext(3) call with flags to change the UID, primary GID, and secondary GIDs was replaced (on certain platforms: Linux and possibly NetBSD) with a single setuid(2) call. This resulted in neither changing the group id nor initializing secondary group ids.

References

Affected packages

Git / github.com/slicer69/doas

Affected ranges

Type: GIT
Repo: https://github.com/slicer69/doas
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6cf0236184ff6304bf5e267ccf7ef02874069697

Affected versions

6.*

6.0-1

6.0p0

6.0p1

6.0p2

6.0p3

6.0p4

6.1

6.1p1

v5.*

v5.9

v5.9-1

v5.9-2

v5.9-3

v5.9-4

v5.9-5

v5.9-6

v5.9-7

v6.*

v6.0-0

v6.0p0

Database specific

vanir_signatures

[
    {
        "id": "CVE-2019-15901-37cc6403",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "257018084219185830283189870846042186451",
                "263298338661025237681855152090152291472",
                "244465731727258627921882727482949357179",
                "240392789334711037839660733709662652480",
                "318302556276251466072957026995482253703",
                "334770976537425838896833539275400219885",
                "144114532411389305376620096985217832909",
                "73301086098618445718506707714661862641",
                "238491780293075423002916085271141572710",
                "283407144815843603917628835820737147263",
                "294481694951028940687679809539951880275",
                "254365220151682927526214587906755972702",
                "141506775240760496158604477182184919853"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "doas.c"
        },
        "source": "https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697"
    },
    {
        "id": "CVE-2019-15901-cede907b",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 5351.0,
            "function_hash": "229816150909773915025832948416141121373"
        },
        "target": {
            "function": "main",
            "file": "doas.c"
        },
        "source": "https://github.com/slicer69/doas/commit/6cf0236184ff6304bf5e267ccf7ef02874069697"
    }
]