From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id UGxAF30/GWfuGwAAe85BDQ:P1 (envelope-from ) for ; Wed, 23 Oct 2024 18:25:01 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id UGxAF30/GWfuGwAAe85BDQ (envelope-from ) for ; Wed, 23 Oct 2024 20:25:01 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=SDQfKqZy; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b="rbr2B/Zo"; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b="nv5/geQR"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1729707901; a=rsa-sha256; cv=none; b=J4oMyYK6VgkrXSicauF3ebJBH53kcfrby43pUxPhQMSSHgGP5zp7xPOyCpKRmUWzcXsXEh A3XC02IsW+mFdRu0a3cJJ6l3eyB0+FFMlr4UoSfitgstfrNE3NoB90X9IRN3nnaMgiekUU AyhmuQFcV339Cj8aZB3qegz0nD1RLIL5MQTXdduIafklGm5pjFzwTPQ+OUOd/4dRb+PwL8 joo63d61PsOO4JwSNI0KioSZOZysy5tkG1cVF76sB+sNWjhAJHetGbxVr3nDbXCq0WBoUh lA4KsX83JaZnmxQpE2SuKBrMsg8S5Br/Q41L7ac7wA81RH3wrl5xehmgiWj1LA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=SDQfKqZy; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b="rbr2B/Zo"; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b="nv5/geQR"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1729707901; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=TH714DYUr3RuGy2RUd0cCvMbeocE5sn1c2YCaBbcD+Y=; b=mozc9DyhmGx/sSki4tduv5tb0X1m3t9okG0xtvJFLQzgw+K8ofXiII9SezHmQGU646qAcV E3Fk0PbLjrPZp0Wf5lgFifcEtqLfKGrhjZkVR+gcOx27ZMchcXpGNb8DA7cY03VP+PfmQ5 lAu9Lg/cimRwYIfq5zblwuSxBmyCI/rTqp0dXJFNsRA0BAQw8f47Lrq0PvxhrFhJre7aXt MK/CznNd005xBYVX6MoWX0xzkgbK1qHPKRuFG9BuAnXR9tQcnQxkQWvm+0efzKNhNvyvfC d/V2pdZdaOOcBY4WrV5wcrRIB/d5utFSLzBe4koRcYXJyVGTgQPWVJJfQpDAOw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B9CF982907 for ; Wed, 23 Oct 2024 20:24:59 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t3g28-0001D3-2p; Wed, 23 Oct 2024 14:24:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3g24-0001Cq-Uu for guix-patches@gnu.org; Wed, 23 Oct 2024 14:24:33 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t3g24-0007G6-Ls for guix-patches@gnu.org; Wed, 23 Oct 2024 14:24:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=TH714DYUr3RuGy2RUd0cCvMbeocE5sn1c2YCaBbcD+Y=; b=SDQfKqZyA2LgJzJc+RKzsKlj/Z1RlyKTLdONKbtW0eBzr2e4GpUjCK6dLfxEraGRvoolI0p8/gG/yF4+RBCUs6/3pocXmhOtC/KXcXMVbZDHY0F0nLxLAMWVk9BbcCFu8bAqn8w2QoKDyTOq9sU9sNVf/L8uIv4oneO0VAQIm1nAwAqul9SYSm7YuDZ80C9FZmiGEjmqepv8bJbgXQr51OMPDDCng4FIY2TwYmdv57RLF0TyUMZbgzznZbwSqKqpl+JPJbtSf5jODFjclphxPBhoMHVu6cWL8ezny6aqOKeZD3KFZWzDZKmQHam1O8HHp2W7xFX1iJEeUg66d52Ntg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t3g2Y-00010d-5x for guix-patches@gnu.org; Wed, 23 Oct 2024 14:25:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73919] Daemon vulnerability allowing takeover of build users Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 23 Oct 2024 18:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73919 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 73919@debbugs.gnu.org Received: via spool by 73919-submit@debbugs.gnu.org id=B73919.17297078843849 (code B ref 73919); Wed, 23 Oct 2024 18:25:02 +0000 Received: (at 73919) by debbugs.gnu.org; 23 Oct 2024 18:24:44 +0000 Received: from localhost ([127.0.0.1]:60759 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3g2G-000100-17 for submit@debbugs.gnu.org; Wed, 23 Oct 2024 14:24:44 -0400 Received: from mailout.russelstein.xyz ([209.141.47.21]:38630) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3g2C-0000zl-DF for 73919@debbugs.gnu.org; Wed, 23 Oct 2024 14:24:42 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TH714DYUr3RuGy2RUd0cCvMbeocE5sn1c2YCaBbcD+Y=; b=rbr2B/ZooZYWkDV48BNI2QzimU 116F+9IUNZB45yPj9hIE1u+a9cO20WCp3xPuDLMJcbThrts1BxzH6pHLx6BQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TH714DYUr3RuGy2RUd0cCvMbeocE5sn1c2YCaBbcD+Y=; b=nv5/geQRu/GQV7AmCe+pu1SQ6g fdqJIjFv3GEXdA2ML8Ge0SoJkf0VVJQXcr08CrMB7WxNG+KjXYXkYcLsgRtCDMVy0htc8A8lByNEH JhGHtz+1zq5IBDI1CQB8bktx/Ai3S3WjfgX2OE+t2xtbtu8CMChzshoe8xaPUCYCKtZz93FjlAyof pwiwIZ2nImZcML7uDFDzCdoKk0IUm6UpZpXDDxqvSx5hUfqjKON7FeAo8K13XidV9mHnuJQ7aiCTM UWESA0qiGlQidMeOrYtytWbIHN8ZuYpKyv7L3UQyvh2NuD8M8SMEY6ymHfUXKSi6wMZCqGsMRe6pq OFlZlkfev7d4U63e0i6qhgiJfPZt64epGpc0g4b21IcWfxEYnUopcQmzvDmPAwikXADaEyqcwEdOw ByGXB2xk/zpxXXZUJ5cn4SUDwwXNimdz+fC4808N0eNVuduBXkaZB8P2zWsv8EF1lbUE1dQwpwPo5 ozYF9Y5ph/sPPuQDdqhlzeQXrDpEIvTxVnA5x7OxpWH0duh7CvSbA07KXcXwGc9/mzzdfoK2Um70Z YMwpJdzTf2wdnHbN1Kx7XW7KQWWmL2f23vcX7xztmnLnbtqud8k1ogqylH3fyq4Rt7doQqTtZOcb6 xBBmqre7m0UM+QJPWrrbYqFgj1bX0RsxvjYSOnyJY=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t3fzZ-000000001l9-1tJu; Wed, 23 Oct 2024 13:21:58 -0500 In-Reply-To: <87cyjtead9.fsf_-_@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Mon, 21 Oct 2024 17:36:34 +0200") References: <87y12ih1q9.fsf@gnu.org> <87a5eyhwgz.fsf@russelstein.xyz> <87cyjtead9.fsf_-_@gnu.org> Date: Wed, 23 Oct 2024 13:20:45 -0500 Message-ID: <875xpiisua.fsf@russelstein.xyz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Reepca Russelstein X-ACL-Warn: , Reepca Russelstein via Guix-patches From: Reepca Russelstein via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -1.59 X-Spam-Score: -1.59 X-Migadu-Queue-Id: B9CF982907 X-Migadu-Scanner: mx12.migadu.com X-TUID: nVmptaE9/nNc --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> From 22adb50845bf4af7b1d6fd78e2515c3387356ce1 Mon Sep 17 00:00:00 2001 >> From: Reepca Russelstein >> Date: Mon, 21 Oct 2024 00:04:32 -0500 >> Subject: [PATCH] website: Add 2024-10-21 security advisory post >> >> * website/posts/2024-10-21-security-advisory.md: new file. > > I pushed this patch a few hours ago and followed up with minor edits: > > https://guix.gnu.org/blog/2024/build-user-takeover-vulnerability/ > Thanks, the changes look good, except for one part: > Your are strongly advised =2D reepca --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcZPn0XHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJzodQf/QAfIvBqPrZ9evGq+qYxO4U/r /XfomFRFdHlcDSkcztxdnRvtOtKXG8x83ScK7r348jIv1T4CeI2DKkk2ktXjuIjS 4OXs21gEgTuEUvx8rEptk58zxShryyryV+tdzI0RjopTzt+0631sc4g0POZngv8j 7LtPjwy1f4DIuN5NnPy+p4HCkUP5fJAOKxBLCYKYL//fj3JZDiA66Pla3CAqY1VW vi8FolQyXIdD7LDWoULYWvSJQQ6gr0VtWCRWgVCdXI7LiJq5Q2qUiis+NCEA8mbU S8AQuBd/kA3+CxGjkQpeErnOrRpO0COprbKoDKzFE55a8cAA6zXP0RDJiAy9EA== =HoCa -----END PGP SIGNATURE----- --=-=-=--