bug#69777: Please add a test for CVE-2024-27297
On 2024-03-13, Vagrant Cascadian wrote: > It would be really nice, especially for downstream distributors, if > there was a test for CVE-2024-27297. > > There is working code to test this in the excellent blog post on the > subject, which is a likely good starting point! > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > Super extra bonus points if the test is backwards compatible with guix > 1.4 and 1.2 :) FWIW, the reproducer from the blog is not working for me with guix 1.2: guix build -f guix-cve-2024-27297 -M4 /home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host /home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% The following derivations will be built: /gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv /gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv /gnu/store/m1ln7m49qrd5jbg0rhjwgb3p5v4iqv1p-derivation-that-grabs-fd-65f22e2a-11731.drv /gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv building /gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv... building /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv... Backtrace: 4 (primitive-load "/gnu/store/2vg1l5pb6jgbrg3iivzj01gl0n8?") In ice-9/eval.scm: 619:8 3 (_ #f) 191:27 2 (_ #f) 223:20 1 (proc #) In unknown file: 0 (%resolve-variable (7 . load-profile) #) ERROR: In procedure %resolve-variable: Unbound variable: load-profile Backtrace: 4 (primitive-load "/gnu/store/c4a9kl1p4xs8fmw2w5smaim04cy?") In ice-9/eval.scm: 619:8 3 (_ #f) 191:27 2 (_ #f) 223:20 1 (proc #) In unknown file: 0 (%resolve-variable (7 . load-profile) #) ERROR: In procedure %resolve-variable: Unbound variable: load-profile builder for `/gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv' failed with exit code 1 build of /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv failed View build log at '/var/log/guix/drvs/nd/ny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv.bz2'. cannot build derivation `/gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv': 1 dependenc ies couldn't be built cannot build derivation `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv': 1 dependencies couldn't be bui lt guix build: error: build of `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv' failed I guess I can try "guix pull" to something current to run it... live well, vagrant signature.asc Description: PGP signature
bug#69776: emacs-hyperbole: runtime exceptions in 8.0.0
Hello, Christopher Howard writes: > Hello, a while ago I reported an error in hyperbole 8.0.0 causing a regex > exception on many implicit buttons: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69338 > > Upstream stated the problem will be resolved in official 9.0.1 > release, and this version has just been officially released. > Using --with-latest to install 9.0.1., I confirmed that the problem is > indeed resolved, and so I would request an update to 9.0.1. I'm not at > liberty to submit a patch myself right at the moment. Perhaps I'll be > able to make one in the next few days but I'm not sure. > > A side note: the first example in the 9.0.1 "FAST-DEMO" requires that the > "HY-NEWS" file be available in the install directory, but guix does not > install this file. > >> ** Pathname Implicit Buttons >> >>"HY-NEWS#ORG MODE:3:6" - outline section anchor & relative line number > > If we could fix this at the same time, that would be great. Fixed. Thank you. Regards, -- Nicolas Goaziou
bug#69777: Please add a test for CVE-2024-27297
It would be really nice, especially for downstream distributors, if there was a test for CVE-2024-27297. There is working code to test this in the excellent blog post on the subject, which is a likely good starting point! https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ Super extra bonus points if the test is backwards compatible with guix 1.4 and 1.2 :) live well, vagrant signature.asc Description: PGP signature
bug#69776: emacs-hyperbole: runtime exceptions in 8.0.0
Hello, a while ago I reported an error in hyperbole 8.0.0 causing a regex exception on many implicit buttons: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69338 Upstream stated the problem will be resolved in official 9.0.1 release, and this version has just been officially released. Using --with-latest to install 9.0.1., I confirmed that the problem is indeed resolved, and so I would request an update to 9.0.1. I'm not at liberty to submit a patch myself right at the moment. Perhaps I'll be able to make one in the next few days but I'm not sure. A side note: the first example in the 9.0.1 "FAST-DEMO" requires that the "HY-NEWS" file be available in the install directory, but guix does not install this file. > ** Pathname Implicit Buttons > >"HY-NEWS#ORG MODE:3:6" - outline section anchor & relative line number If we could fix this at the same time, that would be great. -- Christopher Howard gemini://gem.librehacker.com http://gem.librehacker.com בראשית ברא אלהים את השמים ואת הארץ
bug#69755: Issue trying to guix pull
Michael Ford writes: > It looks like rolling-back has resolved the problem now. > So this issue can be closed. Closing. Thank you! Regards, Florian
bug#69755: Issue trying to guix pull
> Sorry, I forgot, you might need to roll back first, if you had pulled the broken in-between Guix revision. Thanks for the followup. It looks like rolling-back has resolved the problem now. So this issue can be closed. On Tue, 12 Mar 2024 at 19:33, pelzflorian (Florian Pelz) wrote: > > Sorry, I forgot, you might need to roll back first, if you had pulled > the broken in-between Guix revision. > > guix pull --roll-back > > I believe the in-between Guixes cannot be fixed. > Thank you for reporting. > > Regards, > Florian
