[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#69728] [PATCH security] daemon: Protect against FD escape when buil
|
From: |
John Kehayias |
|
Subject: |
[bug#69728] [PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). |
|
Date: |
Tue, 12 Mar 2024 00:42:58 +0000 |
Hi all,
On Mon, Mar 11, 2024 at 11:16 PM, Ludovic Courtès wrote:
> Ludovic Courtès <ludo@gnu.org> skribis:
>
>> This fixes a security issue (CVE-2024-27297) whereby a fixed-output
>> derivation build process could open a writable file descriptor to its
>> output, send it to some outside process for instance over an abstract
>> AF_UNIX socket, which would then allow said process to modify the file
>> in the store after it has been marked as “valid”.
>>
>> Nix security advisory:
>> <https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37>
>>
>> * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
>> a file descriptor. Rewrite the ‘Path’ variant accordingly.
>> (copyFile, copyFileRecursively): New functions.
>> * nix/libutil/util.hh (copyFileRecursively): New declaration.
>> * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
>> is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
>>
>> Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
>>
>> Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane
>> Hufschmitt <theophane.hufschmitt@tweag.io>
>> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
>> ---
>> nix/libstore/build.cc | 16 ++++++
>> nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++--
>> nix/libutil/util.hh | 6 +++
>> 3 files changed, 129 insertions(+), 5 deletions(-)
>
> Pushed (with a slightly different commit message) as
> 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
>
> Updated the ‘guix’ package in b8954a7faeccae11c32add7cd0f408d139af3a43:
> Guix System users can now reconfigure!
>
> Added a news entry in 4003c60abf7a6e59e47cc2deb9eef2f104ebb994.
>
> Ludo’.
Many thanks for the quick fix, deployment, and news entry!
I've attached a draft of a blog post to add some information and
further alert users. Please give it a read and feel free to make any
changes or corrections. Especially if I misunderstood or glossed too
quickly over any technical aspects, though I kept it light. And, if
all looks good, feel free to take whatever steps to post this to the
website.
Two minor questions/comments:
1. I made a note that presumably there is some performance penalty for
copying everything, probably for derivations with many files. But I
haven't tested this, just picked up on this from what was said on
the Nix side as a potential impact.
2. Is picnoir the same as Félix Baylac Jacqué? I wasn't sure based on
emails; fine to change to whatever they want for credit for
reporting this to us. Based on what was posted on the Nix side, it
seems jade and puckipedia are the original finders/reporters of the
security issue. But feel free to correct me.
Thanks everyone!
John
cve-2024-27297-post.md
Description: Binary data