mirror/guix
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/guix.git synced 2025-01-18 13:36:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

news: Add news entry for build user takeover vulnerability fix.

Browse source 
* etc/news.scm: add entry about build user takeover vulnerability.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: I469e368914681e599252e766cd30100d5a377257
This commit is contained in:
Reepca Russelstein 2024-10-20 17:32:23 -05:00 committed by Ludovic Courtès
parent 5966e0fdc7
commit c9e51ab38d
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
etc/news.scm
View file

@ -33,6 +33,38 @@
(channel-news
(version 0)
(entry (commit "5966e0fdc78771c562e0f484a22f381a77908be0")
(title
(en "Daemon vulnerability allowing takeover of build users fixed"))
(body
(en "A vulnerability allowing a local user to execute arbitrary code
as any of the build users has been identified and fixed. Most notably, this
allows any local user to alter the result of any local build, even if it
happens inside a container. The only requirements to exploit this
vulnerability are the ability to start a derivation build and the ability to
run arbitrary code with access to the store in the root PID namespace on the
machine that build occurs on. This largely limits the vulnerability to
multi-user systems.
This vulnerability is caused by the fact that @command{guix-daemon} does not
change ownership and permissions on the outputs of failed builds when it moves
them to the store, and is also caused by there being a window of time between
when it moves outputs of successful builds to the store and when it changes
their ownership and permissions. Because of this, a build can create a binary
with both setuid and setgid bits set and have it become visible to the outside
world once the build ends. At that point any process that can access the
store can execute it and gain the build user's privileges. From there any
process owned by that build user can be manipulated via procfs and signals at
will, allowing the attacker to control the output of its builds.
You are advised to upgrade @command{guix-daemon}. Run @command{info \"(guix)
Upgrading Guix\"}, for info on how to do that. Additionally, if there is any
risk that a builder may have already created these setuid binaries (for
example on accident), run @command{guix gc} to remove all failed build
outputs.
See @uref{https://issues.guix.gnu.org/73919} for more information on this
vulnerability.")))
(entry (commit "2fae63df2138b74d30e120364f0f272871595862")
(title
(en "Core packages updated")