guix/nix
Ludovic Courtès 8f4ffb3fae
daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).
This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck <https://github.com/puckipedia>.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
244f3eee0b

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
2024-03-11 22:12:34 +01:00
..
boost nix: Tweak .gitignore files. 2020-06-24 19:55:22 +01:00
libstore daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). 2024-03-11 22:12:34 +01:00
libutil daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297). 2024-03-11 22:12:34 +01:00
nix-daemon daemon: Implement ‘substitute-urls’ RPC. 2023-12-11 23:18:53 +01:00
.gitignore
AUTHORS
COPYING
local.mk Revert "build: Add missing guix-gc.timer file to binary tarball." 2023-09-24 02:00:00 +02:00