From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Mon, 14 Oct 2019 13:53:35 +0200 Message-ID: <87y2xno85o.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:52854) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iJyvL-0002Em-9e for bug-guix@gnu.org; Mon, 14 Oct 2019 07:54:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iJyvK-0008EW-Bm for bug-guix@gnu.org; Mon, 14 Oct 2019 07:54:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57646) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iJyvK-0008ED-7R for bug-guix@gnu.org; Mon, 14 Oct 2019 07:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iJyvK-0004vC-3a for bug-guix@gnu.org; Mon, 14 Oct 2019 07:54:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87blujsqq0.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, GNU Guix maintainers , guix-security@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Thanks for your report :-p The 1777 is obviously very bad, no question. However: question: Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on=20 > behalf of > the client for clients connecting over TCP. Or we=E2=80=99d need to add= =20 > a > challenge mechanism or authentication. I need more cluebat please: say I'm an attacker and connect to=20 your daemon (over TCP, why not), asking it to create an empty=20 =E2=80=98per-user/ludo=E2=80=99. Assuming the daemon creates it with sane permissions (say 0755) &=20 without any race conditions, what's my evil plan now? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2kYb8ACgkQ2Imw8BjF STypnA/+LRcRUA15xM+hQ6XE6s9ij6GSJXtAkC9E1F7L4FYSK78WLG5cZNSrAknz ekXbxMjotGMnPgeSnOHYD8opZUPPUvl8lqOVuToGrufyzrlyxdvUXBJnwGC4A/f1 //cd1d4lgt6MRuqMZphu4dm1qX+fRwGze6eWh5UF4pZGYfXZ2jzmPOG0/vZjGUlh TEjxauL2X6qS2mWBIU6SZmTfYyT4R8yR2jNjvOQt0/LhIZasq+gt3RaODGLtbrn7 lQxX82R2NIr/xO0ykMWoCuSug3wcVKWJkMMLEgPPkOpxtH+MRDhPCatM3DO0MScV OssNS4V+3wqvRVwzSbwUzo4TvaG0qtTSlWlvBro3qQAkELDzyfwQtAuh8SRS8R+4 /YFCGOtW4v7m9dnmwxklEzH7MIcbL+K4Evu65EOptqzN6MX4lGSrYR0lnJNXTw4J dny6XP76NZp7vs7Nk0oVi9FUCqLf6pZT988sA0OCiaGRGWhZdTZ4CqUE0GMJVGSY nM5kwe6gzfoZtcR5DPiyR1B6jQZ1MVTSBskIRR7UyEqoAQqiaHM0xpQyRIFu8voH 9sOxTdyboBGPDNlTv5rcMQHZ6wM2oyEAJPYZ4JpO+IIZKbTN+MEdexULOoEm33P9 Enm4lKsXEzm2no9eMGUdBA1ib7ZfQsuXRVRa6LpZ2G62DTY+RDc= =mxLC -----END PGP SIGNATURE----- --=-=-=--