unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47614: [security] Chunked store references in .zo files in Racket 8
@ 2021-04-06 11:06 Mark H Weaver
  2021-04-06 17:39 ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 1 reply; 9+ messages in thread
From: Mark H Weaver @ 2021-04-06 11:06 UTC (permalink / raw)
  To: 47614

On my system, Racket 8.0 contains a *.zo file that contains a *chunked*
store reference.  As a result, it retains a reference to the ungrafted
Gtk+, and therefore to the ungrafted glib, cairo, and libx11.

The file is:

  /gnu/store/…-racket-8.0/share/racket/pkgs/gui-lib/mred/private/wx/gtk/compiled/gtk3_rkt.zo,

and here's the relevant excerpt:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ hexdump -C /gnu/store/…-racket-8.0/share/racket/pkgs/gui-lib/mred/private/wx/gtk/compiled/gtk3_rkt.zo | grep -B2 -A6 /gnu/
00000cf0  c0 06 23 00 06 36 02 31  c7 c6 46 25 02 61 7f 0b  |..#..6.1..F%.a..|
00000d00  48 c7 c5 06 a3 01 28 67  03 32 01 08 0c 00 f0 23  |H.....(g.2.....#|
00000d10  05 00 58 11 1e 26 48 2f  67 6e 75 2f 73 74 6f 72  |..X..&H/gnu/stor|
00000d20  65 2f 6e 32 63 6e 70 32  66 69 76 78 71 31 30 6b  |e/n2cnp2fivxq10k|
00000d30  78 71 61 6c 63 76 32 71  34 31 77 7a 73 79 6a 39  |xqalcv2q41wzsyj9|
00000d40  79 64 62 01 d0 2b 2d 33  2e 32 34 2e 32 34 2f 6c  |ydb..+-3.24.24/l|
00000d50  69 62 04 00 f0 1f 67 74  6b 2d 33 2e 73 6f 00 0e  |ib....gtk-3.so..|
00000d60  11 1f 07 02 12 23 12 24  0c 26 00 15 06 41 0b 40  |.....#.$.&...A.@|
00000d70  00 1d 11 20 26 1e 5b 2e  2e 2e 61 74 65 2f 77 78  |... &.[...ate/wx|
--8<---------------cut here---------------end--------------->8---

The referenced store item is this:

  /gnu/store/n2cnp2fivxq10kxqalcv2q41wzsyj9yd-gtk+-3.24.24

Notice that in the .zo file, there are three additional bytes inserted
before the dash ("-").

This store reference is seen by the Guix scanner, because the nix hash
is stored contiguously.  However, it is *not* seen by the grafter.

Note that the grafter assumes that the entire store item name will be
stored contiguously.  The current implementation only finds hashes that
are immediately followed by a dash ("-"), and moreover assumes that nix
hashes will never occur except within the corresponding store item name.

In this case, the reference was simply ignored, because the dash was
separated from the hash.  If the extra junk had been inserted *after*
the dash, the grafter would have made a mess of things.  It would have
(incorrectly) assumed that the rest of the expected store item name
followed the dash, and inappropriately written the replacement string
over the unexpected bytes.

With this case in mind, I think we can no longer safely assume that the
bytes following a nix hash will be as we expect.  As a general
principle, I think that *every* byte that the grafter modifies should
first be checked against its expected value.  That should allow us to
catch problems like this early, and avoid non-obvious breakage cropping
up.

What do you think?

      Mark




^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-04-17  9:28 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <7eaf8b95-5550-66e1-fda2-d691255b49d7@philipmcgrath.com>
2021-04-07  1:48 ` bug#47614: [security] Chunked store references in .zo files in Racket 8 #47614 Philip McGrath
2021-04-16 15:46   ` bug#47614: [security] Chunked store references in .zo files in Racket 8 Ludovic Courtès
2021-04-16 19:46     ` Philip McGrath
2021-04-17  9:25     ` Mark H Weaver
2021-04-06 11:06 Mark H Weaver
2021-04-06 17:39 ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 21:27   ` Mark H Weaver
2021-04-06 22:18     ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-13 21:27       ` Mark H Weaver

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).