From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Date: Sat, 30 Dec 2017 01:28:09 +0100 Message-ID: <87o9mh2h5y.fsf@gnu.org> References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org> <87lgklbekx.fsf@gnu.org> <20171229223329.GA25194@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48355) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eV51P-0003yz-8r for bug-guix@gnu.org; Fri, 29 Dec 2017 19:29:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eV51K-00025E-At for bug-guix@gnu.org; Fri, 29 Dec 2017 19:29:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:48377) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eV51K-00024w-6O for bug-guix@gnu.org; Fri, 29 Dec 2017 19:29:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eV51J-0006LS-PD for bug-guix@gnu.org; Fri, 29 Dec 2017 19:29:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20171229223329.GA25194@jasmine.lan> (Leo Famulari's message of "Fri, 29 Dec 2017 17:33:29 -0500") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 28751@debbugs.gnu.org Leo Famulari skribis: > On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Court=C3=A8s wrote: >> ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >> > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >> > >> >> On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build a= ctivation) would >> >> create setuid-root binaries under /gnu/store for all the programs lis= ted >> >> under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-sys= tem=E2=80=99 declaration. >> > >> > Fixed by >> > . >>=20 >> Detailed announcement at: >>=20 >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON from the Distributed Weakness Filing project > (DWF) in response to my CVE application: > > {"data_version": "4.0","references": {"reference_data": [{"url": "https:/= /lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"descripti= on": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git com= mit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrec= tly, leading the creation of setuid executables in \"the store\", violating= a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","aff= ects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version"= : {"version_data": [{"version_value": "All versions of GuixSD prior to Git = commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD= "}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017= -12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER= ": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype= _data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}= ]}} > > I assume it will show up in the regular places (MITRE etc) eventually. Great, thanks for following up! Ludo=E2=80=99.