#28751 - GuixSD setuid-programs handling creates setuid binaries in the store

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #27 received at 28751@debbugs.gnu.org (full text, mbox, reply):

Received: (at 28751) by debbugs.gnu.org; 30 Dec 2017 00:28:25 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 29 19:28:25 2017
Received: from localhost ([127.0.0.1]:57058 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eV50j-0006Kc-9D
	for submit@debbugs.gnu.org; Fri, 29 Dec 2017 19:28:25 -0500
Received: from [141.255.128.1] (port=39958 helo=hera.aquilenet.fr)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1eV50g-0006KT-T1
 for 28751@debbugs.gnu.org; Fri, 29 Dec 2017 19:28:23 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 554291076F;
 Sat, 30 Dec 2017 01:28:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id C5zFX-DwPDiG; Sat, 30 Dec 2017 01:28:21 +0100 (CET)
Received: from ribbon (unknown [78.250.74.26])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 7A22910601;
 Sat, 30 Dec 2017 01:28:14 +0100 (CET)
From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
In-Reply-To: <20171229223329.GA25194@jasmine.lan> (Leo Famulari's message of
 "Fri, 29 Dec 2017 17:33:29 -0500")
References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org>
 <87lgklbekx.fsf@gnu.org> <20171229223329.GA25194@jasmine.lan>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 10 Nivôse an 226 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 30 Dec 2017 01:28:09 +0100
Message-ID: <87o9mh2h5y.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 3.7 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@famulari.name> skribis: > On Sun, Oct 08,
    2017 at 09:54:22PM +0200, Ludovic CourtÃ¨s wrote: >> ludo@gnu.org (Ludovic
    CourtÃ¨s) skribis: >> > ludo@gnu.org (Ludovic CourtÃ¨s) skribis: >> > >>
   >> On GuixSD, âactivate-setuid-programsâ in (gnu build activation) would
    >> >> create setuid-root binaries under /gnu/store for all the programs listed
    >> >> under âsetuid-programsâ in the âoperating-systemâ declaration.
    >> > >> > Fixed by >> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
    >> >> Detailed announcement at: >> >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
    > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON
    from the Distributed Weakness Filing project > (DWF) in response to my CVE
    application: > > {"data_version": "4.0","references": {"reference_data":
   [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description":
    {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit
    5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly,
    leading the creation of setuid executables in \"the store\", violating a
   fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects":
    {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data":
    [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name":
    "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED":
    "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER":
    "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data":
    [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}} >
   > I assume it will show up in the regular places (MITRE etc) eventually. [...]
    
 
 Content analysis details:   (3.7 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.5 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is an abusable web server
                             [78.250.74.26 listed in dnsbl.sorbs.net]
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
X-Debbugs-Envelope-To: 28751
Cc: 28751@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 3.7 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@famulari.name> skribis: > On Sun, Oct 08,
    2017 at 09:54:22PM +0200, Ludovic CourtÃ¨s wrote: >> ludo@gnu.org (Ludovic
    CourtÃ¨s) skribis: >> > ludo@gnu.org (Ludovic CourtÃ¨s) skribis: >> > >>
   >> On GuixSD, âactivate-setuid-programsâ in (gnu build activation) would
    >> >> create setuid-root binaries under /gnu/store for all the programs listed
    >> >> under âsetuid-programsâ in the âoperating-systemâ declaration.
    >> > >> > Fixed by >> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
    >> >> Detailed announcement at: >> >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
    > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON
    from the Distributed Weakness Filing project > (DWF) in response to my CVE
    application: > > {"data_version": "4.0","references": {"reference_data":
   [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description":
    {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit
    5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly,
    leading the creation of setuid executables in \"the store\", violating a
   fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects":
    {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data":
    [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name":
    "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED":
    "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER":
    "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data":
    [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}} >
   > I assume it will show up in the regular places (MITRE etc) eventually. [...]
    
 
 Content analysis details:   (3.7 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.5 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is an abusable web server
                             [78.250.74.26 listed in dnsbl.sorbs.net]
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
>> ludo@gnu.org (Ludovic Courtès) skribis:
>> > ludo@gnu.org (Ludovic Courtès) skribis:
>> >
>> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> >> create setuid-root binaries under /gnu/store for all the programs listed
>> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>> >
>> > Fixed by
>> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
>> 
>> Detailed announcement at:
>> 
>>   https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
>
> FYI, this was assigned CVE-2017-1000455.
>
> I just received this JSON from the Distributed Weakness Filing project
> (DWF) in response to my CVE application:
>
> {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}}
>
> I assume it will show up in the regular places (MITRE etc) eventually.

Great, thanks for following up!

Ludo’.

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:55:48 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#28751 GuixSD setuid-programs handling creates setuid binaries in the store