GNU bug report logs

#69728 [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #10 received at 69728@debbugs.gnu.org (full text, mbox, reply):

Received: (at 69728) by debbugs.gnu.org; 11 Mar 2024 22:17:24 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 11 18:17:24 2024
Received: from localhost ([127.0.0.1]:41442 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rjnxT-00026D-RK
	for submit@debbugs.gnu.org; Mon, 11 Mar 2024 18:17:24 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56458)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1rjnxQ-00025x-Io
 for 69728@debbugs.gnu.org; Mon, 11 Mar 2024 18:17:21 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1rjnwm-0006tT-Bc; Mon, 11 Mar 2024 18:16:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=j/akcUHUAvI4THZtkZCkVLgwpU2kzI8sAPSrOYEipgs=; b=YPePDT/ZHqT3pBBlsQa7
 tSSUu484hLnh/12JWGriEen3148AxlzX0yk3eaiT3oHTN/sd3FBuvP8CxbzjLWCZrLIwIDtaL4Xcf
 IyqUvWQafJwAnh8Q2QV4AtyopLP4/EPWQ1/PCp2Pu3VQuBpAUfCJ1/3gXgtBoP9Vf5nR2Z+NDczD/
 O5x8V+u2hRIyUR8A52Qk10l/dNL6P3ig2TAS/fF7PuoKrRR24g+nvFfeKWF9CAuVjNWTLBLYeRXvp
 VuOee8WWiFiSxIua3EHNSKo1KfNYHmXpnGOgLp8B46m6rMNnGs6yi4mDCeY72u6WvgUPtl4jzsz5h
 jA2jcd7j4/4huA==;
From: Ludovic Courtès <ludo@gnu.org>
To: 69728@debbugs.gnu.org
Subject: Re: bug#69728: [PATCH security] daemon: Protect against FD escape
 when building fixed-output derivations (CVE-2024-27297).
In-Reply-To: <f541e64f128d82e6d9eca3b1d40e833dc06fd968.1710154382.git.ludo@gnu.org>
 ("Ludovic Courtès"'s message of "Mon, 11 Mar 2024
 11:54:00 +0100")
References: <f541e64f128d82e6d9eca3b1d40e833dc06fd968.1710154382.git.ludo@gnu.org>
Date: Mon, 11 Mar 2024 23:16:31 +0100
Message-ID: <87frwwo1mo.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 69728
Cc: Picnoir <picnoir@alternativebit.fr>,
 Théophane Hufschmitt <theophane.hufschmitt@tweag.io>,
 guix-security@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ludovic Courtès <ludo@gnu.org> skribis:

> This fixes a security issue (CVE-2024-27297) whereby a fixed-output
> derivation build process could open a writable file descriptor to its
> output, send it to some outside process for instance over an abstract
> AF_UNIX socket, which would then allow said process to modify the file
> in the store after it has been marked as “valid”.
>
> Nix security advisory:
> https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
>
> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
> a file descriptor.  Rewrite the ‘Path’ variant accordingly.
> (copyFile, copyFileRecursively): New functions.
> * nix/libutil/util.hh (copyFileRecursively): New declaration.
> * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
> is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
>
> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
>
> Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
> ---
>  nix/libstore/build.cc |  16 ++++++
>  nix/libutil/util.cc   | 112 ++++++++++++++++++++++++++++++++++++++++--
>  nix/libutil/util.hh   |   6 +++
>  3 files changed, 129 insertions(+), 5 deletions(-)

Pushed (with a slightly different commit message) as
8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Updated the ‘guix’ package in b8954a7faeccae11c32add7cd0f408d139af3a43:
Guix System users can now reconfigure!

Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994.

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 16:49:17 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.