Bug#1066113: guix: CVE-2024-27297
On 2024-03-16, Vagrant Cascadian wrote: > For anyone with Guix or Nix installed, if I understand correctly, it > basically allows arbitrarily replacing the source code for anything that > you might build using Guix or Nix. Yes, for multi-user systems and people running untrusted code in “guix shell -CW” container isolation, there is risk. Regards, Florian
Bug#1066113: guix: CVE-2024-27297
Control: severity 1066113 serious On 2024-03-16, Vagrant Cascadian wrote: > On 2024-03-15, Salvatore Bonaccorso wrote: >> On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: >>> On 2024-03-13, Vagrant Cascadian wrote: >>> > On 2024-03-12, Vagrant Cascadian wrote: >>> >> On 2024-03-12, Salvatore Bonaccorso wrote: >> We had a look, and as per >> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 >> we think that it does not require a DSA, but a fix in the upcoming >> point releases would be good. > > Oh my! I am a bit shocked by this honestly ... why is it treated as a > minor security issue? > > I realize Guix is pretty niche in Debian... Nix is perhaps a little more > widely used... > > For anyone with Guix or Nix installed, if I understand correctly, it > basically allows arbitrarily replacing the source code for anything that > you might build using Guix or Nix. > > >> So can you submit it for the point releases? (make sure to adjust the >> target distribution to bullseye respetively bookworm instead of >> *-security). > > I can... although, I would like to make a kind and freindly nudge to > reconsider a DSA if at all possible. :) Thinking more on this... I worry that this issue is maybe more serious than the Debian Security Team realizes? If issues like this do not warrant a security update in Debian, I feel the better course of action may be to remove Guix from Debian. I say this reluctantly, with a heavy heart... Marking as serious severity to reflect my opinion as the maintainer. live well, vagrant signature.asc Description: PGP signature
Bug#1066113: guix: CVE-2024-27297
On 2024-03-15, Salvatore Bonaccorso wrote: > On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: >> On 2024-03-13, Vagrant Cascadian wrote: >> > On 2024-03-12, Vagrant Cascadian wrote: >> >> On 2024-03-12, Salvatore Bonaccorso wrote: >> > I have now tested an updated 1.4.x package on bookworm and a 1.2.x >> > package on bullseye, and the reproducer (with a small change for 1.2.x) >> > was able to reproduce the problem before upgrading to the patched >> > versions, but not after upgrading to a patched version. >> > >> > I've pushed fixes to various branches; debian/latest (for unstable), >> > debian/bookworm and debian/bullseye: >> > >> > https://salsa.debian.org/debian/guix/ >> >> Attached should be debdiffs for updates for bookworm and bullseye. Let >> me know if I should upload them or if someone from the security team >> will! ... > We had a look, and as per > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 > we think that it does not require a DSA, but a fix in the upcoming > point releases would be good. Oh my! I am a bit shocked by this honestly ... why is it treated as a minor security issue? I realize Guix is pretty niche in Debian... Nix is perhaps a little more widely used... For anyone with Guix or Nix installed, if I understand correctly, it basically allows arbitrarily replacing the source code for anything that you might build using Guix or Nix. > So can you submit it for the point releases? (make sure to adjust the > target distribution to bullseye respetively bookworm instead of > *-security). I can... although, I would like to make a kind and freindly nudge to reconsider a DSA if at all possible. :) > Thanks a lot for your work! Likewise! live well, vagrant signature.asc Description: PGP signature
Bug#1066113: guix: CVE-2024-27297
Hi, On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: > On 2024-03-13, Vagrant Cascadian wrote: > > On 2024-03-12, Vagrant Cascadian wrote: > >> On 2024-03-12, Salvatore Bonaccorso wrote: > > I have now tested an updated 1.4.x package on bookworm and a 1.2.x > > package on bullseye, and the reproducer (with a small change for 1.2.x) > > was able to reproduce the problem before upgrading to the patched > > versions, but not after upgrading to a patched version. > > > > I've pushed fixes to various branches; debian/latest (for unstable), > > debian/bookworm and debian/bullseye: > > > > https://salsa.debian.org/debian/guix/ > > Attached should be debdiffs for updates for bookworm and bullseye. Let > me know if I should upload them or if someone from the security team > will! > > Guix did make a good blog post, and I am wondering if just referencing > it is sufficient, or if we should provide some of the instructions > directly in the secucity announcement? > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > The main things we might want to highlight are checking for corrupt > items in the store (which may be expensive, depending on how big of an > installation) and maybe also running the reproducer script (which needs > changes mentioned previously in order to work with 1.2.x from bullseye). > > Hrm. The upgrading instructions from the blog post are not really > relevent, as they are simply handled with "apt upgrade", so that might > be a little confusing. We had a look, and as per https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 we think that it does not require a DSA, but a fix in the upcoming point releases would be good. So can you submit it for the point releases? (make sure to adjust the target distribution to bullseye respetively bookworm instead of *-security). Thanks a lot for your work! Regards, Salvatore
Bug#1066113: guix: CVE-2024-27297
On 2024-03-13, Vagrant Cascadian wrote: > On 2024-03-12, Vagrant Cascadian wrote: >> On 2024-03-12, Salvatore Bonaccorso wrote: > I have now tested an updated 1.4.x package on bookworm and a 1.2.x > package on bullseye, and the reproducer (with a small change for 1.2.x) > was able to reproduce the problem before upgrading to the patched > versions, but not after upgrading to a patched version. > > I've pushed fixes to various branches; debian/latest (for unstable), > debian/bookworm and debian/bullseye: > > https://salsa.debian.org/debian/guix/ Attached should be debdiffs for updates for bookworm and bullseye. Let me know if I should upload them or if someone from the security team will! Guix did make a good blog post, and I am wondering if just referencing it is sufficient, or if we should provide some of the instructions directly in the secucity announcement? https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ The main things we might want to highlight are checking for corrupt items in the store (which may be expensive, depending on how big of an installation) and maybe also running the reproducer script (which needs changes mentioned previously in order to work with 1.2.x from bullseye). Hrm. The upgrading instructions from the blog post are not really relevent, as they are simply handled with "apt upgrade", so that might be a little confusing. live well, vagrant guix_1.2.0-4+deb11u2.debdiff Description: Binary data guix-1.4.0-3+deb12u1.debdiff Description: Binary data signature.asc Description: PGP signature
Bug#1066113: guix: CVE-2024-27297
On 2024-03-12, Vagrant Cascadian wrote: > On 2024-03-12, Salvatore Bonaccorso wrote: >> The following vulnerability was published for guix. >> >> CVE-2024-27297[0]: >> | Nix is a package manager for Linux and other Unix systems. A fixed- >> | output derivations on Linux can send file descriptors to files in >> | the Nix store to another program running on the host (or another >> | fixed-output derivation) via Unix domain sockets in the abstract >> | namespace. This allows to modify the output of the derivation, after >> | Nix has registered the path as "valid" and immutable in the Nix >> | database. In particular, this allows the output of fixed-output >> | derivations to be modified from their expected content. This issue >> | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. >> | Users are advised to upgrade. There are no known workarounds for >> | this vulnerability. ... > A summary from the guix perspective, including code to verify the issue > was posted: > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > I have not yet had a chance to actually verify the fix on locally built > Debian packages, but all three releases do successfully build with the > patches applied. I have now tested an updated 1.4.x package on bookworm and a 1.2.x package on bullseye, and the reproducer (with a small change for 1.2.x) was able to reproduce the problem before upgrading to the patched versions, but not after upgrading to a patched version. I've pushed fixes to various branches; debian/latest (for unstable), debian/bookworm and debian/bullseye: https://salsa.debian.org/debian/guix/ Attached is the reproducer used on 1.2.x from bullseye, which should also work on 1.4.x in bookworm/trixie/sid. live well, vagrant guix-cve-2024-27297-patched Description: Binary data signature.asc Description: PGP signature
Bug#1066113: guix: CVE-2024-27297
Control: clone -1 -2 Control: reassign -2 src:nix 2.18.1+dfsg-1 Control: retitle -2 nix: CVE-2024-27297 Hi, On Tue, Mar 12, 2024 at 04:01:26PM -0700, Vagrant Cascadian wrote: > Control: found 1066113 1.4.0-3 > Control: tags 1066113 pending > > On 2024-03-12, Salvatore Bonaccorso wrote: > > The following vulnerability was published for guix. > > > > CVE-2024-27297[0]: > > | Nix is a package manager for Linux and other Unix systems. A fixed- > > | output derivations on Linux can send file descriptors to files in > > | the Nix store to another program running on the host (or another > > | fixed-output derivation) via Unix domain sockets in the abstract > > | namespace. This allows to modify the output of the derivation, after > > | Nix has registered the path as "valid" and immutable in the Nix > > | database. In particular, this allows the output of fixed-output > > | derivations to be modified from their expected content. This issue > > | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. > > | Users are advised to upgrade. There are no known workarounds for > > | this vulnerability. > > Technically, it was published for Nix (CCed the listed maintainer)! Guix > just happens to share some of the same code history. :) > > Should the bug be cloned for nix, or a separate bug filed? you are absolutely right, I should have done that from the start. Done now with this message and kept some some sort of context. > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 > > https://www.cve.org/CVERecord?id=CVE-2024-27297 > > [1] > > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 > > > Please adjust the affected versions in the BTS as needed. > > There was another followup fix committed in upstream guix, which I > already merged into the Debian packaging: > > > https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319 > > This commit can be trivially cherry-picked for bookworm (1.4.0-3) and > for bullseye (with some easily resolved conflicts in > debian/patches/series). > > A summary from the guix perspective, including code to verify the issue > was posted: > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > I have not yet had a chance to actually verify the fix on locally built > Debian packages, but all three releases do successfully build with the > patches applied. Regards, Salvatore
Bug#1066113: guix: CVE-2024-27297
Control: found 1066113 1.4.0-3 Control: tags 1066113 pending On 2024-03-12, Salvatore Bonaccorso wrote: > The following vulnerability was published for guix. > > CVE-2024-27297[0]: > | Nix is a package manager for Linux and other Unix systems. A fixed- > | output derivations on Linux can send file descriptors to files in > | the Nix store to another program running on the host (or another > | fixed-output derivation) via Unix domain sockets in the abstract > | namespace. This allows to modify the output of the derivation, after > | Nix has registered the path as "valid" and immutable in the Nix > | database. In particular, this allows the output of fixed-output > | derivations to be modified from their expected content. This issue > | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. > | Users are advised to upgrade. There are no known workarounds for > | this vulnerability. Technically, it was published for Nix (CCed the listed maintainer)! Guix just happens to share some of the same code history. :) Should the bug be cloned for nix, or a separate bug filed? > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 > https://www.cve.org/CVERecord?id=CVE-2024-27297 > [1] > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 > Please adjust the affected versions in the BTS as needed. There was another followup fix committed in upstream guix, which I already merged into the Debian packaging: https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319 This commit can be trivially cherry-picked for bookworm (1.4.0-3) and for bullseye (with some easily resolved conflicts in debian/patches/series). A summary from the guix perspective, including code to verify the issue was posted: https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ I have not yet had a chance to actually verify the fix on locally built Debian packages, but all three releases do successfully build with the patches applied. live well, vagrant signature.asc Description: PGP signature
Bug#1066113: guix: CVE-2024-27297
Source: guix Version: 1.4.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.2.0-4+deb11u1 Hi, Vagrant, knowing that you are awaere already, but filling for having a Debian bug tracking reference. The following vulnerability was published for guix. CVE-2024-27297[0]: | Nix is a package manager for Linux and other Unix systems. A fixed- | output derivations on Linux can send file descriptors to files in | the Nix store to another program running on the host (or another | fixed-output derivation) via Unix domain sockets in the abstract | namespace. This allows to modify the output of the derivation, after | Nix has registered the path as "valid" and immutable in the Nix | database. In particular, this allows the output of fixed-output | derivations to be modified from their expected content. This issue | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. | Users are advised to upgrade. There are no known workarounds for | this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 https://www.cve.org/CVERecord?id=CVE-2024-27297 [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Please adjust the affected versions in the BTS as needed. Regards, Salvatore