futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8f4ffb3fae
guix-play/nix/libutil
History
Ludovic Courtès 8f4ffb3fae
daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). 
This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck <https://github.com/puckipedia>.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
244f3eee0b

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
2024-03-11 22:12:34 +01:00
..
affinity.cc
affinity.hh
archive.cc daemon: Use unbranded phrases in comments and messages. 2018-12-16 16:28:07 +01:00
archive.hh
hash.cc daemon: Improve error message for wrong hash sizes. 2023-01-09 17:40:54 +01:00
hash.hh daemon: Recognize SHA3 and BLAKE2s. 2020-06-27 23:42:20 +02:00
serialise.cc
serialise.hh
types.hh
util.cc daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). 2024-03-11 22:12:34 +01:00
util.hh daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). 2024-03-11 22:12:34 +01:00