From: "Ludovic Courtès" <ludo@gnu.org>
To: 69728@debbugs.gnu.org
Cc: Picnoir <picnoir@alternativebit.fr>,
"Théophane Hufschmitt" <theophane.hufschmitt@tweag.io>,
guix-security@gnu.org
Subject: [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
Date: Mon, 11 Mar 2024 23:16:31 +0100 [thread overview]
Message-ID: <87frwwo1mo.fsf@gnu.org> (raw)
In-Reply-To: <f541e64f128d82e6d9eca3b1d40e833dc06fd968.1710154382.git.ludo@gnu.org> ("Ludovic Courtès"'s message of "Mon, 11 Mar 2024 11:54:00 +0100")
Ludovic Courtès <ludo@gnu.org> skribis:
> This fixes a security issue (CVE-2024-27297) whereby a fixed-output
> derivation build process could open a writable file descriptor to its
> output, send it to some outside process for instance over an abstract
> AF_UNIX socket, which would then allow said process to modify the file
> in the store after it has been marked as “valid”.
>
> Nix security advisory:
> https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
>
> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
> a file descriptor. Rewrite the ‘Path’ variant accordingly.
> (copyFile, copyFileRecursively): New functions.
> * nix/libutil/util.hh (copyFileRecursively): New declaration.
> * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
> is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
>
> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
>
> Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
> ---
> nix/libstore/build.cc | 16 ++++++
> nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++--
> nix/libutil/util.hh | 6 +++
> 3 files changed, 129 insertions(+), 5 deletions(-)
Pushed (with a slightly different commit message) as
8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
Updated the ‘guix’ package in b8954a7faeccae11c32add7cd0f408d139af3a43:
Guix System users can now reconfigure!
Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994.
Ludo’.
next prev parent reply other threads:[~2024-03-11 22:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 10:54 [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297) Ludovic Courtès
2024-03-11 22:16 ` Ludovic Courtès [this message]
2024-03-12 0:42 ` John Kehayias via Guix-patches via
2024-03-12 13:31 ` Ludovic Courtès
2024-03-12 13:45 ` [bug#69728] Reproducer for the daemon fixed-output derivation vulnerability Ludovic Courtès
2024-03-12 14:35 ` John Kehayias via Guix-patches via
2024-03-12 15:31 ` [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297) Ludovic Courtès
2024-03-13 10:00 ` bug#69728: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87frwwo1mo.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=69728@debbugs.gnu.org \
--cc=guix-security@gnu.org \
--cc=picnoir@alternativebit.fr \
--cc=theophane.hufschmitt@tweag.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).