From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id qMqpFX3bFWe7DgAAqHPOHw:P1 (envelope-from ) for ; Mon, 21 Oct 2024 04:41:33 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id qMqpFX3bFWe7DgAAqHPOHw (envelope-from ) for ; Mon, 21 Oct 2024 06:41:33 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="B2Eutou/"; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=APCyvas3; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=uqXbSx7x; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1729485693; a=rsa-sha256; cv=none; b=cHq8/h00v35ySiPAhnJEDBniEd87mHksAqA1/U3CeLaH2jXcXI/lMndQs6iS9WvyBt6ugm dHtQlm/NicfX9EGxoZmiPRk2LvF4aLian3UOFhw/l6qU6eLBQ5DfE0sb60VK7iRz/n2RUg WfTZ7b8/2bt20xb0cHayUfMsX2HTEUJZsuZCB8Jfee+hcM7GwD2Btd1hErkeDxr3jJgqAv NMqwYgEvFYn9G3l2sjiW/wZ+VT8HZR8jU3YTMq1iJDpqbBGX4Tz/AaG4qRHZal9AHUwHjr RfQKulNOxRG4x/CmTxDhxCYsJIVc9UHFh2tVJWG5Nz5mKq1/Okcpi+TXk3LE8g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="B2Eutou/"; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=APCyvas3; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=uqXbSx7x; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1729485693; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=HP5e7W5om0OPsEel9hzR2C4D6kYaQg8cRrHkanExuX4=; b=AHcuzfXhnys0B7oEnsk910zwuD0NWkFtp7wDEsSKdKkdGUNdoHKs7iaCXeoDq7dSKlxvBH 7auvJutLpoj/5RH/4mROzUHOJFQzT7pe06RppdAtO2MutW18xVgb+WnOADRhQqfhmhETnn ezUp8yFozplL5F4hr3A7zbEBGVT9nt69E9pSilNaeTGGDSdjplm+toDi1ZU3cwbY1CTaJL 9AmPY7N1r+0MszUacnK6AX4dWDCcBpCDoHbA3WlhAM601v62vNEzzY1KUX+V2iXizC7wXf oJf5iLDoQmyM0ZYbijSHy8B8kUYdVnNnuCa2FwBn9GpOSBg6wNfVP95clAVbEQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0842333C4F for ; Mon, 21 Oct 2024 06:41:32 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t2kDm-0003Go-DG; Mon, 21 Oct 2024 00:40:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2kDf-0003F3-Q3 for guix-patches@gnu.org; Mon, 21 Oct 2024 00:40:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t2kDf-0006q1-HD for guix-patches@gnu.org; Mon, 21 Oct 2024 00:40:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=HP5e7W5om0OPsEel9hzR2C4D6kYaQg8cRrHkanExuX4=; b=B2Eutou/4qdc8myzYc17EYP6afyjfHJcDu4pyabwX6vcqpmKHHS7viU5hTA28radikSiQ5JMaZYQJv8qOgxWf/3SHP88dNF+lU/NEouPxZqdeNti+RPt9grC+Rdz/lM8j+ss9d3oWraNHHXTyLvvFZb24dNqrHMB7yHhU06Sf/7J7nhoZw20mu0KAQHr70eXLu5rA+YRp/f8SF7zXNE4nzCUqHOw9cQcUfz6RN4XDbVqLtekWZEjDQOY7E9fY/+avuMYaQLTDyEJDiB1eg6vO0TpRJvJER/ByNvwRwMwCkrubVEBzUL2Ze/JiPV/kc470D6ZdTNxBu2fve60w0JbSg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t2kE5-0001xF-Ge for guix-patches@gnu.org; Mon, 21 Oct 2024 00:41:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73919] News entry References: <87y12ih1q9.fsf@gnu.org> In-Reply-To: <87y12ih1q9.fsf@gnu.org> Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 21 Oct 2024 04:41:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73919 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: security To: 73919@debbugs.gnu.org Cc: ludo@gnu.org Received: via spool by 73919-submit@debbugs.gnu.org id=B73919.17294856126999 (code B ref 73919); Mon, 21 Oct 2024 04:41:05 +0000 Received: (at 73919) by debbugs.gnu.org; 21 Oct 2024 04:40:12 +0000 Received: from localhost ([127.0.0.1]:49656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2kDD-0001oi-Vw for submit@debbugs.gnu.org; Mon, 21 Oct 2024 00:40:12 -0400 Received: from mailout.russelstein.xyz ([209.141.47.21]:50426) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2eYw-0001Ed-HU for 73919@debbugs.gnu.org; Sun, 20 Oct 2024 18:38:18 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HP5e7W5om0OPsEel9hzR2C4D6kYaQg8cRrHkanExuX4=; b=APCyvas3SjzFE7qd+jnqWVhm0i Dkrf22c1uNwoRIDsNAeQJ+Y/paTjqYlS9tNtkyP4mLULkKfiYxKPT7viTKBw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:Subject :Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HP5e7W5om0OPsEel9hzR2C4D6kYaQg8cRrHkanExuX4=; b=uqXbSx7x9Gg3NGXCxsUz8ksoVd wlYf3Wvq4nZBCVzWnYf1dAEkTfH7UcDmvlydq7dpRGA5yaibV5tSXF5j5F9vYWCssGNBdlagxt/jl rJRWPvannx0W/YSVookblOZQT8yQJ4VDbkY5pZNNqqnCAg1C5BduC4Tjffnpl7zhcgBt2wyy/x2/x I4IdqEOL1qufWwbQGnYZUH9WQHgEBc3Ip2VmI6rINb5Hci5e6VXL9kNnxHjQ9sSlgjQn+Fq3bkcRT iTF8Lq2OsF/PGuncQLHwXri3UxjVnlvnm72pDDkW9L4TTjiuKfHU+ZTjWMc5jUGjTdwxYjsmjKKwA QdZCfAkwJrwvX/OBpli0VPb5ZmM1pSPJ9ltAzsBNNYqyQw+jm+Lf+UH2H8//5UUo29v2A/htJeG5p jsppLC7Jc690KqeRKh0zw1muietox/+7vfdAj9ZkD5XKnLHuNthH7A1kSUhJPrhHsqcdmIjdlHveD RTZ/JlXwyrDDXStVp3eAxpcKg9wp1puZn+6p/twOWpacF74ei6x+G6NdeP3q6mvAeL4n+23tUtaqQ DJUn7b7O1crsb/sKLIIUO4rkGlsR3XAZbtZAeJS7hHIlqpOpRuZS+JCkwfmSqgCF7riNAIjGi27T8 gqqYtgkKuNv9puYBAzmLTpc0nO/Sv2LUGkt2sJmEI=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t2eWP-000000001P1-1Lp6; Sun, 20 Oct 2024 17:35:38 -0500 Date: Sun, 20 Oct 2024 17:35:22 -0500 Message-ID: <87ldyijtcl.fsf@russelstein.xyz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Mailman-Approved-At: Mon, 21 Oct 2024 00:40:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Reepca Russelstein X-ACL-Warn: , Reepca Russelstein via Guix-patches From: Reepca Russelstein via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.65 X-Spam-Score: -5.65 X-Migadu-Queue-Id: 0842333C4F X-Migadu-Scanner: mx10.migadu.com X-TUID: /UNXJqZ+9A1I --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Here's a news entry describing the vulnerability. The "TBD" commit should be replaced with the one that updated the guix package. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-etc-news-add-news-entry-for-build-user-takeover-vuln.patch Content-Transfer-Encoding: quoted-printable From=20532996c5908fb14cc8d102865280fb203c075c9c Mon Sep 17 00:00:00 2001 From: Reepca Russelstein Date: Sun, 20 Oct 2024 17:32:23 -0500 Subject: [PATCH] etc: news: add news entry for build user takeover vulnerability fix. * etc/news.scm: add entry about build user takeover vulnerability. =2D-- etc/news.scm | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index a90f92a..20cc3d7 100644 =2D-- a/etc/news.scm +++ b/etc/news.scm @@ -33,6 +33,38 @@ (channel-news (version 0) =20 + (entry (commit "TBD") + (title + (en "Daemon vulnerability allowing takeover of build users fixed"= )) + (body + (en "A vulnerability allowing a local user to execute arbitrary c= ode +as any of the build users has been identified and fixed. Most notably, th= is +allows any local user to alter the result of any local build, even if it +happens inside a container. The only requirements to exploit this +vulnerability are the ability to start a derivation build and the ability = to +run arbitrary code with access to the store in the root PID namespace on t= he +machine that build occurs on. This largely limits the vulnerability to +multi-user systems. + +This vulnerability is caused by the fact that @command{guix-daemon} does n= ot +change ownership and permissions on the outputs of failed builds when it m= oves +them to the store, and is also caused by there being a window of time betw= een +when it moves outputs of successful builds to the store and when it changes +their ownership and permissions. Because of this, a build can create a bi= nary +with both setuid and setgid bits set and have it become visible to the out= side +world once the build ends. At that point any process that can access the +store can execute it and gain the build user's privileges. From there any +process owned by that build user can be manipulated via procfs and signals= at +will, allowing the attacker to control the output of its builds. + +You are advised to upgrade @command{guix-daemon}. Run @command{info \"(gu= ix) +Upgrading Guix\"}, for info on how to do that. Additionally, if there is = any +risk that a builder may have already created these setuid binaries (for +example on accident), run @command{guix gc} to remove all failed build +outputs. + +See @uref{https://issues.guix.gnu.org/73919} for more information on this +vulnerability."))) (entry (commit "2fae63df2138b74d30e120364f0f272871595862") (title (en "Core packages updated") =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVhaoXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJwCxAf9GFxSOrjV4np2fuUO0eTtT3SU FHBuQe/da2OHSD6xaB2kBpaKXIylNOI9+pseOIa3tve0YatvR1BV0Vn6oUmfY2nb d61JVCrkUj1raiqpwyOvO+Cd0IOot20m4vv+OMA8lTk51l7cnPymfBeJPnhx3Wa0 oUBnxarxMbrtwkwXrC2cdFs03viXDOuKzzGKBP9ixDePcIxMffi8wOcXPr2QHWHH GN5+DYmrimoQQyXnq1EKpo9/qh+V7PI7G2/CHnFkeGUc7+hNgvNGkV7NC6twgKz/ YezpgyDTgMnlTIHVAN3qooMtUY8kowHw/0fI5p3ETbJ5P3BwVQcNcoJO9pb6XA== =gZP/ -----END PGP SIGNATURE----- --==-=-=--