Control: found 1066113 1.4.0-3 Control: tags 1066113 pending On 2024-03-12, Salvatore Bonaccorso wrote: > The following vulnerability was published for guix. > > CVE-2024-27297[0]: > | Nix is a package manager for Linux and other Unix systems. A fixed- > | output derivations on Linux can send file descriptors to files in > | the Nix store to another program running on the host (or another > | fixed-output derivation) via Unix domain sockets in the abstract > | namespace. This allows to modify the output of the derivation, after > | Nix has registered the path as "valid" and immutable in the Nix > | database. In particular, this allows the output of fixed-output > | derivations to be modified from their expected content. This issue > | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. > | Users are advised to upgrade. There are no known workarounds for > | this vulnerability.
Technically, it was published for Nix (CCed the listed maintainer)! Guix just happens to share some of the same code history. :) Should the bug be cloned for nix, or a separate bug filed? > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 > https://www.cve.org/CVERecord?id=CVE-2024-27297 > [1] > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 > Please adjust the affected versions in the BTS as needed. There was another followup fix committed in upstream guix, which I already merged into the Debian packaging: https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319 This commit can be trivially cherry-picked for bookworm (1.4.0-3) and for bullseye (with some easily resolved conflicts in debian/patches/series). A summary from the guix perspective, including code to verify the issue was posted: https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ I have not yet had a chance to actually verify the fix on locally built Debian packages, but all three releases do successfully build with the patches applied. live well, vagrant
signature.asc
Description: PGP signature