On 2024-03-12, Vagrant Cascadian wrote: > On 2024-03-12, Salvatore Bonaccorso wrote: >> The following vulnerability was published for guix. >> >> CVE-2024-27297[0]: >> | Nix is a package manager for Linux and other Unix systems. A fixed- >> | output derivations on Linux can send file descriptors to files in >> | the Nix store to another program running on the host (or another >> | fixed-output derivation) via Unix domain sockets in the abstract >> | namespace. This allows to modify the output of the derivation, after >> | Nix has registered the path as "valid" and immutable in the Nix >> | database. In particular, this allows the output of fixed-output >> | derivations to be modified from their expected content. This issue >> | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. >> | Users are advised to upgrade. There are no known workarounds for >> | this vulnerability. ... > A summary from the guix perspective, including code to verify the issue > was posted: > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > I have not yet had a chance to actually verify the fix on locally built > Debian packages, but all three releases do successfully build with the > patches applied.
I have now tested an updated 1.4.x package on bookworm and a 1.2.x package on bullseye, and the reproducer (with a small change for 1.2.x) was able to reproduce the problem before upgrading to the patched versions, but not after upgrading to a patched version. I've pushed fixes to various branches; debian/latest (for unstable), debian/bookworm and debian/bullseye: https://salsa.debian.org/debian/guix/ Attached is the reproducer used on 1.2.x from bullseye, which should also work on 1.4.x in bookworm/trixie/sid. live well, vagrant
guix-cve-2024-27297-patched
Description: Binary data
signature.asc
Description: PGP signature
