Debian Bug report logs -
#1066113
guix: CVE-2024-27297
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 12 Mar 2024 20:09:02 UTC
Severity: important
Tags: pending, security, upstream
Found in versions guix/1.4.0-3, guix/1.2.0-4+deb11u1, guix/1.4.0-5
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>
:
Bug#1066113
; Package src:guix
.
(Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>
.
(Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.2.0-4+deb11u1
Hi,
Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.
The following vulnerability was published for guix.
CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
https://www.cve.org/CVERecord?id=CVE-2024-27297
[1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions guix/1.2.0-4+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#1066113
; Package src:guix
.
(Tue, 12 Mar 2024 23:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>
:
Extra info received and forwarded to list.
(Tue, 12 Mar 2024 23:03:02 GMT) (full text, mbox, link).
Message #12 received at 1066113@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: found 1066113 1.4.0-3
Control: tags 1066113 pending
On 2024-03-12, Salvatore Bonaccorso wrote:
> The following vulnerability was published for guix.
>
> CVE-2024-27297[0]:
> | Nix is a package manager for Linux and other Unix systems. A fixed-
> | output derivations on Linux can send file descriptors to files in
> | the Nix store to another program running on the host (or another
> | fixed-output derivation) via Unix domain sockets in the abstract
> | namespace. This allows to modify the output of the derivation, after
> | Nix has registered the path as "valid" and immutable in the Nix
> | database. In particular, this allows the output of fixed-output
> | derivations to be modified from their expected content. This issue
> | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
> | Users are advised to upgrade. There are no known workarounds for
> | this vulnerability.
Technically, it was published for Nix (CCed the listed maintainer)! Guix
just happens to share some of the same code history. :)
Should the bug be cloned for nix, or a separate bug filed?
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-27297
> https://www.cve.org/CVERecord?id=CVE-2024-27297
> [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
> Please adjust the affected versions in the BTS as needed.
There was another followup fix committed in upstream guix, which I
already merged into the Debian packaging:
https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319
This commit can be trivially cherry-picked for bookworm (1.4.0-3) and
for bullseye (with some easily resolved conflicts in
debian/patches/series).
A summary from the guix perspective, including code to verify the issue
was posted:
https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/
I have not yet had a chance to actually verify the fix on locally built
Debian packages, but all three releases do successfully build with the
patches applied.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions guix/1.4.0-3.
Request was from Vagrant Cascadian <vagrant@debian.org>
to 1066113-submit@bugs.debian.org
.
(Tue, 12 Mar 2024 23:03:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Vagrant Cascadian <vagrant@debian.org>
to 1066113-submit@bugs.debian.org
.
(Tue, 12 Mar 2024 23:03:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Mar 13 11:51:31 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.