GNU bug report logs - #69728
[PATCH security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 11 Mar 2024 10:55:01 UTC

Severity: normal

Tags: patch, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 69728 <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Picnoir <picnoir <at> alternativebit.fr>, guix-security <at> gnu.org,
 Théophane Hufschmitt <theophane.hufschmitt <at> tweag.io>,
 69728 <at> debbugs.gnu.org
Subject: Re: Reproducer for the daemon fixed-output derivation vulnerability
Date: Tue, 12 Mar 2024 14:35:18 +0000

[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmXwaBwdHGpvaG4ua2Vo
YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdk6Fg//aEuH516qXJrKpmAc
VqB1L/38z/UlbWlhT1n8HBqW5JsEd137FMw0WBeIVYVoWFuQJVaJPjtwWQNbXOfO
VKFITVw41hCMBhCNQmpBu1cuzVGmxX9MP2laWeDSpDT1uswuX4HxZaPrgU7LxFHz
G8wl2onDGheyN+/kaw/h6isv7yAI0jH+Tk8epkcyRUHCM9N1mdv3aVPcd1ZOzktW
ugkzNrA+2KdZXLZm2frr0Elh9xXBNi7owi0g5BSFtsEhqgbqTcb+IwuoT+2PXPH7
bZFE3Bpp6xI38+gY1XBMEZ/+ZY/5fScScGH4hejBJiEDAFVtaNvlJDeL6hbTCAX2
MvL/wkwMv2ODmsbJ7XfI/XG90E3IKrQ83/H7GBO2sIA2rM5wCnGjXuT+NMiJuoce
FnLjEamwu8lesHPSp81rpz8vEtzBywND/hhCeu0B+p6s9lbPyQKO8AMLtKCuZM94
a04XCCQDwKzcxKSiN6jF4b76kcS7kdrRS8qHPqVGzmwqkRJJVdCMlvoO3PtuAI+J
EDMQyU8FAFRqOE69Aomr056LLLwQqfWfXln6evFeznFvLEAo3SF2Yl4QW4MngLye
b5rPxGy9HggI3KfexsWLJNzMTdxyZql4uO3Ye6/SKYfmCNezy+4wSUtd+8EM4LqK
ZRF4fbqgZ5KjllnMH7oZjXm7b0A=
=jN50
-----END PGP SIGNATURE-----
Hi all,

On Tue, Mar 12, 2024 at 02:45 PM, Ludovic Courtès wrote:

> As promised, attached is a reproducer that I adapted from the Nix one at
> <https://hackmd.io/03UGerewRcy3db44JQoWvw>, which I think was written by
> puck <https://github.com/puckipedia>.
>
> The program demonstrates the vulnerability using two fixed-output
> derivations that must be built concurrently on the same machine.
>

Thanks for the reproducer and instructions. I've included the code an
a brief overview of how to run and what to look for in the updated
post (along with other changes noted privately).

The updated post is attached. I will have some time here and there
over the next few hours to make changes, but will mostly be away from
my Guix machine to handle actually pushing. So, once it looks good,
feel free to do that or I can do it this evening my time (in about 7-8
hours).

Thanks again Ludo’ for all your work here!

John

[cve-2024-27297-post.md (application/octet-stream, attachment)]
This bug report was last modified 1 year and 149 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.