Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

guix: CVE-2024-27297

Related Vulnerabilities: CVE-2024-27297  

Source

Debian Bug report logs - #1066113
guix: CVE-2024-27297

version graph

Package: src:guix; Maintainer for src:guix is Vagrant Cascadian <vagrant@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 12 Mar 2024 20:09:02 UTC

Severity: important

Tags: pending, security, upstream

Found in versions guix/1.4.0-3, guix/1.2.0-4+deb11u1, guix/1.4.0-5

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>:
Bug#1066113; Package src:guix. (Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>. (Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: guix: CVE-2024-27297
Date: Tue, 12 Mar 2024 21:05:38 +0100
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.2.0-4+deb11u1


Hi,

Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.

The following vulnerability was published for guix.

CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
    https://www.cve.org/CVERecord?id=CVE-2024-27297
[1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions guix/1.2.0-4+deb11u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 12 Mar 2024 20:09:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#1066113; Package src:guix. (Tue, 12 Mar 2024 23:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. (Tue, 12 Mar 2024 23:03:02 GMT) (full text, mbox, link).

Message #12 received at 1066113@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 1066113@bugs.debian.org
Cc: jljusten@debian.org
Subject: Re: Bug#1066113: guix: CVE-2024-27297
Date: Tue, 12 Mar 2024 16:01:26 -0700
[Message part 1 (text/plain, inline)]
Control: found 1066113 1.4.0-3
Control: tags  1066113 pending

On 2024-03-12, Salvatore Bonaccorso wrote:
> The following vulnerability was published for guix.
>
> CVE-2024-27297[0]:
> | Nix is a package manager for Linux and other Unix systems. A fixed-
> | output derivations on Linux can send file descriptors to files in
> | the Nix store to another program running on the host (or another
> | fixed-output derivation) via Unix domain sockets in the abstract
> | namespace. This allows to modify the output of the derivation, after
> | Nix has registered the path as "valid" and immutable in the Nix
> | database. In particular, this allows the output of fixed-output
> | derivations to be modified from their expected content. This issue
> | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
> | Users are advised to upgrade. There are no known workarounds for
> | this vulnerability.

Technically, it was published for Nix (CCed the listed maintainer)! Guix
just happens to share some of the same code history. :)

Should the bug be cloned for nix, or a separate bug filed?


> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-27297
>     https://www.cve.org/CVERecord?id=CVE-2024-27297
> [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143

> Please adjust the affected versions in the BTS as needed.

There was another followup fix committed in upstream guix, which I
already merged into the Debian packaging:

  https://salsa.debian.org/debian/guix/-/commit/03eeedaddbdded880743461cbca0261b96737319

This commit can be trivially cherry-picked for bookworm (1.4.0-3) and
for bullseye (with some easily resolved conflicts in
debian/patches/series).

A summary from the guix perspective, including code to verify the issue
was posted:

  https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/

I have not yet had a chance to actually verify the fix on locally built
Debian packages, but all three releases do successfully build with the
patches applied.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions guix/1.4.0-3. Request was from Vagrant Cascadian <vagrant@debian.org> to 1066113-submit@bugs.debian.org. (Tue, 12 Mar 2024 23:03:03 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Vagrant Cascadian <vagrant@debian.org> to 1066113-submit@bugs.debian.org. (Tue, 12 Mar 2024 23:03:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Mar 13 11:51:31 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started