Hi all, On Mon, Mar 11, 2024 at 11:16 PM, Ludovic Courtès wrote: > Ludovic Courtès skribis: > >> This fixes a security issue (CVE-2024-27297) whereby a fixed-output >> derivation build process could open a writable file descriptor to its >> output, send it to some outside process for instance over an abstract >> AF_UNIX socket, which would then allow said process to modify the file >> in the store after it has been marked as “valid”. >> >> Nix security advisory: >> >> >> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and >> a file descriptor. Rewrite the ‘Path’ variant accordingly. >> (copyFile, copyFileRecursively): New functions. >> * nix/libutil/util.hh (copyFileRecursively): New declaration. >> * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ >> is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. >> >> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 >> >> Reported-by: Picnoir , Théophane >> Hufschmitt >> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 >> --- >> nix/libstore/build.cc | 16 ++++++ >> nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++-- >> nix/libutil/util.hh | 6 +++ >> 3 files changed, 129 insertions(+), 5 deletions(-) > > Pushed (with a slightly different commit message) as > 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. > > Updated the ‘guix’ package in b8954a7faeccae11c32add7cd0f408d139af3a43: > Guix System users can now reconfigure! > > Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994. > > Ludo’. Many thanks for the quick fix, deployment, and news entry! I've attached a draft of a blog post to add some information and further alert users. Please give it a read and feel free to make any changes or corrections. Especially if I misunderstood or glossed too quickly over any technical aspects, though I kept it light. And, if all looks good, feel free to take whatever steps to post this to the website. Two minor questions/comments: 1. I made a note that presumably there is some performance penalty for copying everything, probably for derivations with many files. But I haven't tested this, just picked up on this from what was said on the Nix side as a potential impact. 2. Is picnoir the same as Félix Baylac Jacqué? I wasn't sure based on emails; fine to change to whatever they want for credit for reporting this to us. Based on what was posted on the Nix side, it seems jade and puckipedia are the original finders/reporters of the security issue. But feel free to correct me. Thanks everyone! John