Your message dated Fri, 09 Aug 2024 13:47:10 -0700
with message-id <172323643075.258067.15132028072768080824@localhost>
and subject line Fixed in nix 2.22.1+dfsg-1
has caused the Debian Bug report #1066812,
regarding nix: CVE-2024-27297
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1066812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066812
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.2.0-4+deb11u1
Hi,
Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.
The following vulnerability was published for guix.
CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
https://www.cve.org/CVERecord?id=CVE-2024-27297
[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 2.22.1+dfsg-1
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
referenced in this bug links to:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
This states that the issue affected nix <= 2.20.3. Therefore, I think
this should have been fixed in the debian 2.22.1+dfsg-1 nix upload.
In the upstream repo, I believe it was fixed by
c3878f510ec12ca6bf24505989e7463249dab61a which is included in releases
2.21.0 and later.
signature.asc
Description: signature
--- End Message ---
