From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in
	the store
Date: Fri, 29 Dec 2017 18:09:53 -0500
Message-ID: <20171229230953.GA10185@jasmine.lan>
References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org>
	<87lgklbekx.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="/NkBOFFp2J2Af1nK"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43202)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eV3mw-000571-IQ
	for bug-guix@gnu.org; Fri, 29 Dec 2017 18:10:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eV3ms-0006Av-T0
	for bug-guix@gnu.org; Fri, 29 Dec 2017 18:10:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:48352)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eV3ms-00069z-G2
	for bug-guix@gnu.org; Fri, 29 Dec 2017 18:10:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eV3ms-0002dZ-0u
	for bug-guix@gnu.org; Fri, 29 Dec 2017 18:10:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28751.B28751.151458899710123@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <87lgklbekx.fsf@gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 28751@debbugs.gnu.org


--/NkBOFFp2J2Af1nK
Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS"
Content-Disposition: inline


--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Court=C3=A8s wrote:
> ludo@gnu.org (Ludovic Court=C3=A8s) skribis:
>=20
> > ludo@gnu.org (Ludovic Court=C3=A8s) skribis:
> >
> >> On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build ac=
tivation) would
> >> create setuid-root binaries under /gnu/store for all the programs list=
ed
> >> under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-syst=
em=E2=80=99 declaration.
> >
> > Fixed by
> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D5e66574a128937=
e7f2fcf146d146225703ccfd5d>.
>=20
> Detailed announcement at:
>=20
>   https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html

FYI, this was assigned CVE-2017-1000455.

I just received the attached JSON from the Distributed Weakness Filing
project (DWF) in response to my CVE application.

I assume it will show up in the regular places (MITRE etc) eventually.

Having thought about this bug for a while, I think it was not too bad in
practice. The setuid executable files could be copied or preserved
somehow by an attacker whether they were in the store or in
/run/setuid-programs.

--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2017-1000455.json"

{"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@s
 eifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}}

--qMm9M+Fa2AknHoGS--

--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpGyz0ACgkQJkb6MLrK
fwhVSw//ZoHQVXfDHM7kTxA2gVksbS285t2C3C4GgvCNRlFTsgyOGcsZyAiyWvUP
Gf9J2MXon6v7G/k6fSBjRyNWy5zs9Dmxxyis+I+e8LWQayyodlsOctmo0qzeul4m
QJPsX9HNuOAf5Xt1M35Wurl45+sMpDMSybQzB/gBmUc6/uCEx91qeVPYW8LnCVBs
B4/MpGAcrPxbGa04lviqWUv+BxpTtbsu2xFBeOqgHkms4oq/X0R4N59cJ57t/mAO
GwF61xF3xkiO3oTbCd2DOpsF9xafhInHlapfL/WpwWPr9vNvhkG7cR7//5JimXQ7
DgYDz3EKBU67WXOrwJ5W9ndEM/zteoPELXaySqc6h7Ool8NZeK2wtE6vfRREO8fK
tzjwUr2hOjH3kTKsmtRSyRL8aveRQDQ7EFJSDy8XoE25Iknkbh4qtykH91hbr1Rj
yez7gmJ9dGHcLioOEYPyGUezUzldEzJDiDXLPGIfDikZd9wB1szdOna6Qv9aMvNl
PP7T2kjZWLhG+k9b7GrM90VMPPjIbQ4gCacOGYk9SvZSPec14/ue/Uaq6dpBImia
Sx1FxjA4eK4PyQ2MBFXaaF3XgjcMVEXNG+tomhY7sD6bagGkz3xieysaWY5aAUFP
vgHULhueAe8DNQ6rL7nx05qxny9BJHXogcKtwxWMejfFVtslsVk=
=mufO
-----END PGP SIGNATURE-----

--/NkBOFFp2J2Af1nK--