#69728 - [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Message #22 received at 69728@debbugs.gnu.org (full text, mbox, reply):

Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 14:36:27 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 12 10:36:27 2024
Received: from localhost ([127.0.0.1]:43342 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rk3Ew-0002N0-OB
	for submit@debbugs.gnu.org; Tue, 12 Mar 2024 10:36:27 -0400
Received: from mail-4316.protonmail.ch ([185.70.43.16]:24517)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@protonmail.com>) id 1rk3Et-0002MX-4v
 for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 10:36:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1710254142; x=1710513342;
 bh=9vZz1qci+avginabnebtqb3++m3hG4gBE+urF1wt6sA=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=nl+ylr5wllxXckaXu+rAxqNBOQ8ujRr/URtxMX9K1K2XvjINfCpgau6LPjn1tqILR
 NFPZ+ETbaDCGn47Op8voM6pMQl96J4ob+7gRGh7C72F5MRLdP0cKsjs0tVUv+EpmV4
 qsxFMj6h5MM195rlQTe3wWf9MOf/6HEK3tweRTS8jAtY1sA2Q1I8GThWtsk2nQt2x5
 OIaaPhjoznvr39jB5VA97aitCVguephsEX/hvRHjHW9XaF2I+3jMU3UerJaZSz9NuT
 GKHy8ZVzvWjZrkyYhrB9Tlp51CeX5a/yysYSNdpCIRNLA4k0tFOzE4K8yBSMuMZiga
 /Gg2rWWdaGMoA==
Date: Tue, 12 Mar 2024 14:35:18 +0000
To: Ludovic Courtès <ludo@gnu.org>
From: John Kehayias <john.kehayias@protonmail.com>
Subject: Re: Reproducer for the daemon fixed-output derivation vulnerability
Message-ID: <87msr334do.fsf@protonmail.com>
In-Reply-To: <871q8flg17.fsf_-_@gnu.org>
References: <f541e64f128d82e6d9eca3b1d40e833dc06fd968.1710154382.git.ludo@gnu.org>
 <87frwwo1mo.fsf@gnu.org> <871q8flg17.fsf_-_@gnu.org>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="b1_xKx1i44DOSvJ7Di9xFsftR2PTnqrPGv5eGX1yxtDQ"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 69728
Cc: Picnoir <picnoir@alternativebit.fr>, guix-security@gnu.org,
 Théophane Hufschmitt <theophane.hufschmitt@tweag.io>,
 69728@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmXwaBwdHGpvaG4ua2Vo
YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdk6Fg//aEuH516qXJrKpmAc
VqB1L/38z/UlbWlhT1n8HBqW5JsEd137FMw0WBeIVYVoWFuQJVaJPjtwWQNbXOfO
VKFITVw41hCMBhCNQmpBu1cuzVGmxX9MP2laWeDSpDT1uswuX4HxZaPrgU7LxFHz
G8wl2onDGheyN+/kaw/h6isv7yAI0jH+Tk8epkcyRUHCM9N1mdv3aVPcd1ZOzktW
ugkzNrA+2KdZXLZm2frr0Elh9xXBNi7owi0g5BSFtsEhqgbqTcb+IwuoT+2PXPH7
bZFE3Bpp6xI38+gY1XBMEZ/+ZY/5fScScGH4hejBJiEDAFVtaNvlJDeL6hbTCAX2
MvL/wkwMv2ODmsbJ7XfI/XG90E3IKrQ83/H7GBO2sIA2rM5wCnGjXuT+NMiJuoce
FnLjEamwu8lesHPSp81rpz8vEtzBywND/hhCeu0B+p6s9lbPyQKO8AMLtKCuZM94
a04XCCQDwKzcxKSiN6jF4b76kcS7kdrRS8qHPqVGzmwqkRJJVdCMlvoO3PtuAI+J
EDMQyU8FAFRqOE69Aomr056LLLwQqfWfXln6evFeznFvLEAo3SF2Yl4QW4MngLye
b5rPxGy9HggI3KfexsWLJNzMTdxyZql4uO3Ye6/SKYfmCNezy+4wSUtd+8EM4LqK
ZRF4fbqgZ5KjllnMH7oZjXm7b0A=
=jN50
-----END PGP SIGNATURE-----
Hi all,

On Tue, Mar 12, 2024 at 02:45 PM, Ludovic Courtès wrote:

> As promised, attached is a reproducer that I adapted from the Nix one at
> <https://hackmd.io/03UGerewRcy3db44JQoWvw>, which I think was written by
> puck <https://github.com/puckipedia>.
>
> The program demonstrates the vulnerability using two fixed-output
> derivations that must be built concurrently on the same machine.
>

Thanks for the reproducer and instructions. I've included the code an
a brief overview of how to run and what to look for in the updated
post (along with other changes noted privately).

The updated post is attached. I will have some time here and there
over the next few hours to make changes, but will mostly be away from
my Guix machine to handle actually pushing. So, once it looks good,
feel free to do that or I can do it this evening my time (in about 7-8
hours).

Thanks again Ludo’ for all your work here!

John

[cve-2024-27297-post.md (application/octet-stream, attachment)]

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 17:16:25 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#69728 [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).