Control: clone -1 -2 Control: reassign -2 src:nix 2.18.1+dfsg-1 Control: retitle -2 nix: CVE-2024-27297
Hi, On Tue, Mar 12, 2024 at 04:01:26PM -0700, Vagrant Cascadian wrote: > Control: found 1066113 1.4.0-3 > Control: tags 1066113 pending > > On 2024-03-12, Salvatore Bonaccorso wrote: > > The following vulnerability was published for guix. > > > > CVE-2024-27297[0]: > > | Nix is a package manager for Linux and other Unix systems. A fixed- > > | output derivations on Linux can send file descriptors to files in > > | the Nix store to another program running on the host (or another > > | fixed-output derivation) via Unix domain sockets in the abstract > > | namespace. This allows to modify the output of the derivation, after > > | Nix has registered the path as "valid" and immutable in the Nix > > | database. In particular, this allows the output of fixed-output > > | derivations to be modified from their expected content. This issue > > | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. > > | Users are advised to upgrade. There are no known workarounds for > > | this vulnerability. > > Technically, it was published for Nix (CCed the listed maintainer)! Guix > just happens to share some of the same code history. :) > > Should the bug be cloned for nix, or a separate bug filed? you are absolutely right, I should have done that from the start. Done now with this message and kept some some sort of context. > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 > > https://www.cve.org/CVERecord?id=CVE-2024-27297 > > [1] > > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 > > > Please adjust the affected versions in the BTS as needed. > > There was another followup fix committed in upstream guix, which I > already merged into the Debian packaging: > > > https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319 > > This commit can be trivially cherry-picked for bookworm (1.4.0-3) and > for bullseye (with some easily resolved conflicts in > debian/patches/series). > > A summary from the guix perspective, including code to verify the issue > was posted: > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > I have not yet had a chance to actually verify the fix on locally built > Debian packages, but all three releases do successfully build with the > patches applied. Regards, Salvatore