[bug#69728] [PATCH security] daemon: Protect against FD escape when buil

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#69728] [PATCH security] daemon: Protect against FD escape when buil

From:	Ludovic Courtès
Subject:	[bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
Date:	Mon, 11 Mar 2024 23:16:31 +0100
User-agent:	Gnus/5.13 (Gnus v5.13)

Ludovic Courtès <ludo@gnu.org> skribis:

> This fixes a security issue (CVE-2024-27297) whereby a fixed-output
> derivation build process could open a writable file descriptor to its
> output, send it to some outside process for instance over an abstract
> AF_UNIX socket, which would then allow said process to modify the file
> in the store after it has been marked as “valid”.
>
> Nix security advisory:
> https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
>
> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
> a file descriptor.  Rewrite the ‘Path’ variant accordingly.
> (copyFile, copyFileRecursively): New functions.
> * nix/libutil/util.hh (copyFileRecursively): New declaration.
> * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
> is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
>
> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
>
> Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt 
> <theophane.hufschmitt@tweag.io>
> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
> ---
>  nix/libstore/build.cc |  16 ++++++
>  nix/libutil/util.cc   | 112 ++++++++++++++++++++++++++++++++++++++++--
>  nix/libutil/util.hh   |   6 +++
>  3 files changed, 129 insertions(+), 5 deletions(-)

Pushed (with a slightly different commit message) as
8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Updated the ‘guix’ package in b8954a7faeccae11c32add7cd0f408d139af3a43:
Guix System users can now reconfigure!

Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., Ludovic Courtès, 2024/03/11
- [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., Ludovic Courtès <=
  - [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., John Kehayias, 2024/03/11
  - [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., Ludovic Courtès, 2024/03/12
  - [bug#69728] Reproducer for the daemon fixed-output derivation vulnerability, Ludovic Courtès, 2024/03/12
    - [bug#69728] Reproducer for the daemon fixed-output derivation vulnerability, John Kehayias, 2024/03/12
    - [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., Ludovic Courtès, 2024/03/12
    - bug#69728: [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297)., Ludovic Courtès, 2024/03/13

Prev by Date: [bug#69658] [PATCH] gnu: Add go-github-com-whyrusleeping-go-sysinfo.
Next by Date: [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
Previous by thread: [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
Next by thread: [bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
Index(es):
- Date
- Thread