From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iDHtKwGdbGAMBAAAgWs5BA (envelope-from ) for ; Tue, 06 Apr 2021 19:40:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QMLmJQGdbGAkLAAA1q6Kng (envelope-from ) for ; Tue, 06 Apr 2021 17:40:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 36CD42BDCC for ; Tue, 6 Apr 2021 19:40:17 +0200 (CEST) Received: from localhost ([::1]:42488 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTpgU-0000yY-Q9 for larch@yhetil.org; Tue, 06 Apr 2021 13:40:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45318) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTpgI-0000wS-Pw for bug-guix@gnu.org; Tue, 06 Apr 2021 13:40:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58364) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTpgI-0005rP-HP for bug-guix@gnu.org; Tue, 06 Apr 2021 13:40:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTpgI-0007zK-ER for bug-guix@gnu.org; Tue, 06 Apr 2021 13:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47614: [security] Chunked store references in .zo files in Racket 8 Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 17:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47614 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Mark H Weaver , 47614@debbugs.gnu.org Received: via spool by 47614-submit@debbugs.gnu.org id=B47614.161773079230685 (code B ref 47614); Tue, 06 Apr 2021 17:40:02 +0000 Received: (at 47614) by debbugs.gnu.org; 6 Apr 2021 17:39:52 +0000 Received: from localhost ([127.0.0.1]:41677 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTpg8-0007yr-0x for submit@debbugs.gnu.org; Tue, 06 Apr 2021 13:39:52 -0400 Received: from mail.zaclys.net ([178.33.93.72]:44725) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTpg5-0007yb-Vn for 47614@debbugs.gnu.org; Tue, 06 Apr 2021 13:39:50 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136HdguZ031880 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 Apr 2021 19:39:43 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136HdguZ031880 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617730783; bh=4z9uqK/sXGcvK7Cc6ezWLezf6TgEi7mNRnQbZ/6Oq7Q=; h=Subject:From:To:Date:In-Reply-To:References:From; b=KvRzIaNcekgpsKA802I5h6L4SZVRn7sx1J+pIheaEqvQU6xXfRkfno3+wVsqbD5g+ 2Cbh2yj7MeIIHpL5xYczOZaYLdQH2CwICksxTTCjuZFzEjXgGIfSC8QPNlyUvN1tHP R4EPVneNDvn+NqyhkOmIrrc9f0uEBCkSNrKOv5N4= Message-ID: Date: Tue, 06 Apr 2021 19:39:42 +0200 In-Reply-To: <87k0pf7jti.fsf@netris.org> References: <87k0pf7jti.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-Cesk0LIKqiJGfD8yDHBD" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617730817; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=4z9uqK/sXGcvK7Cc6ezWLezf6TgEi7mNRnQbZ/6Oq7Q=; b=Ie5jphMSyek9zsGhiVNbDE0ZQiD2DPBxo0QQJzK/JTQl8ECFBSBPUHEyW4X9sRa74L5UL5 j2/674KQYZBO/MVvKrdc0jUhu/esveX4mmsNsA7nOaFR3MMTCIobzsIvuU+/bFTo5+6X19 9YMcYp64IgRsSEnIHfWmMM8cEVaGjo0WKbsTQCbajPUrRHZUlUJZkbD0KinXlUYacMlUXO jhw9Gy8nepqgK/LzAQ/CWR5pHd15O9p4tu2sntPiRF2KaQWrnXHGFUye4bbVhxnmt52Jq1 jA8MoLEpwm/Lg/bR1NoPznha2SW7xK0GBmw2uyPTTMkUCzmHD0kXVdLBbcMCrg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617730817; a=rsa-sha256; cv=none; b=Rp2XbioufrPZyQaRlC0prTBVfqCDp7pdyqy1NrrGXQesVxTym+FSQsVgBgIP8xQWXwOp3O 8I63c1lK2Q+NGkH5lEGR3OBRHpCPkE9VJuRP+j8VJyjY5CYmznc64VHb6ePaYpsfg6DTdR p9JE3Zvo9lPTFE9HBmSZGgO17UQd7EucAn3q20t1EkhD2vBfx7WwSA6xfLnE/+exdbTBJH /+Hze8kEITNngqfDHczs/VuMcUPpw+Nm+rXEHl4OV5CrcrROjFRlF2b9x22hGOfZ8aWj7h kzWqB8jnTSNIFg/gmUzlewkhXS3SqL91SiDn8Rp/KL1d5uK6KfkNZys0MKMXlg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=KvRzIaNc; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=KvRzIaNc; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 36CD42BDCC X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: 8GBJiPVdgCD/ --=-Cesk0LIKqiJGfD8yDHBD Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I think that probably replacing arbitrary paths in built binaries is a risky and maybe unreliable engineering choice and that mechanisms inside kernels should be preferred to give processes a different view of the file system (retaining the path but changing the contents of the folder). OTOH, what would be wrong with replacing hashes directly without expecting them to be next to anything else? L=C3=A9o --=-Cesk0LIKqiJGfD8yDHBD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsnN4ACgkQRaix6GvN EKYdyQ//ZM1NkwAVwlz9jvAGlquG4PZtpNVMo9nKwCtDFNkdH24qcw0C4B9vDcz5 eSQl1zdd/Umo4brKd7namErlRBUS6C5HtsT763R8XbT8oY6qQhPYbl7fy445H3DK D/vXRDZBMPAkmeX5W6bn9h+ZOULy1PB4iQXZ+/rleq+SvE7PGVbN2FKt7I2/mEn0 ft11Xf8XcDbD7IlKRgPcudYBJ7Eb8ibRjO4n9iluILxoZ6ST/rZHsn5XFFl4SuT/ O/a0NqoaFs5rd8aQcx2S3oTyRlpSDeR7o7IpKLGgZgjxCijzW0X6hEoo/d0QPd7Y 87srlKLNzj1KTP3UoOy5yYEEuw0lIplB+Jmzri93ncBEEDthWiHgpAfpDn26lbFz DIFsLB07vL10QxrDgsGsGEpgFnmA/L0jeJCD+2PlrPNMovhYi9lypsdpBpDcoSOZ aaPQXIdkwOo9iPybXkWI+eGRV+vMGwG1vli/v4YvoJXBh+eJwwi2d/mKfQzgt+EZ dON/KbrVgVgtiyhic5ADKVn1t6xJQboqz075EAVwB7unH/XHpLY+TXRY4kogWfUi XQLkSzG5MjOuNAI0WgUTz9IfXsQuFeHx4E1iYdSIwmZl+vos6YGkVykMsKHdIRn5 9Zuwt9Kl6hF8viKb4Plmhf/biCdKq3S/bxBybRrd7Tbd3OlopPo= =CakI -----END PGP SIGNATURE----- --=-Cesk0LIKqiJGfD8yDHBD--