Maxime Devos <maximedevos@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Maxime Devos <maximedevos@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:33:00 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:33:00 2021 Received: from localhost ([127.0.0.1]:34368 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lSjCm-0002pD-Gs for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:33:00 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:41568) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lSjCj-0002p2-5p for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:32:58 -0400 Received: from butterfly.local ([213.132.158.53]) by baptiste.telenet-ops.be with bizsmtp id oGYu2400D19Qjf101GYvVU; Sat, 03 Apr 2021 18:32:55 +0200 Message-ID: <67e04c1c532d4553c5456ebf581d7d3d3d59733c.camel@HIDDEN> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos <maximedevos@HIDDEN> To: 47584 <at> debbugs.gnu.org Date: Sat, 03 Apr 2021 18:32:54 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467575; bh=Sw/UfKzDCrSltxYl/oPfddr3GjoJV0OoFTZcWIAll7c=; h=Subject:From:To:Date:In-Reply-To:References; b=ZlErvDbK0rZxPgnpY8PyDoNp/xTxYUruL/L1za+Oml+85nc0FCCqup9cZ+f/BUwP3 OnId5chxG7KkrK10H+KnkBJ68YH5mvfEKTl6iBPhD+KA805+hVdeB3YUwMFwOyUhfs iEocylNsYI+2vq/f6NbtVSNlJ7zmM9cKH9gx0B7WNz7oMeyPP+f4LRsIG+djdec3sL ljrFYYafj75U97JTjVRFgvpLvLV7b1ukt2IXn4JY54cDbAP5K8gLO9IKbAoGNjXx0n /XL62UdwRLfUzyc/goegwFh+SGjwOOgdxQJ02sCuRkmdJJzU6yVMosRiRkXW/IVfF6 L5Vr3Em+njZXg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) On Sat, 2021-04-03 at 18:22 +0200, Maxime Devos wrote: > + ;; It is important 'chown' is called after 'copy-account-skeletons' > + ;; Otherwise, a malicious user with good timing could > + ;; create a symlink in HOME that would be dereferenced by > + ;; 'copy-account-skeletons'. Oops please add a period after 'copy-account-skeletons';
bug-guix@HIDDEN
:bug#47584
; Package guix
.
Full text available.Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:27:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:27:05 2021 Received: from localhost ([127.0.0.1]:34362 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lSj6y-0002fF-88 for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:27:05 -0400 Received: from andre.telenet-ops.be ([195.130.132.53]:47534) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lSj6v-0002f5-Ea for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:26:59 -0400 Received: from butterfly.local ([213.132.158.53]) by andre.telenet-ops.be with bizsmtp id oGSu2400L19Qjf101GSvHJ; Sat, 03 Apr 2021 18:26:56 +0200 Message-ID: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@HIDDEN> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos <maximedevos@HIDDEN> To: 47584 <at> debbugs.gnu.org Date: Sat, 03 Apr 2021 18:26:53 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-HMNpXMB6vK27ddQ1Dtzt" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467216; bh=+QwQ6+6U53Xh+yszKUWicth9Ir/2UkoekOQ82WoObQQ=; h=Subject:From:To:Date:In-Reply-To:References; b=eGnpz8luI96wTxYfIOYlFrUPHH/imoByxqTi0oS2Wji7JbguVAAJKw/wi/1w6utCq Kmj5CpbM0vCqK2b00C75BKQQwLkH6U7xhIfZMXn6+l5hxT/laE6aKNHZwbfzn9i31y OQ55thJZrcgMoo++DuiCOLqIaq6hv4Bgm3jyWG34iDOGtbC/AgewJ1UGHKcTxkPi93 lDR0DwejiLqFPWkTNAofDt2mDHGMSYlRUi6zlrMymZIq5cNEaG0yDOo42weDFdJbDb wBevdMK26ejlhXlJZbwesioo+vGUBrf5MbbPawJD3aZ+4WHI21vu77+GSZGYwwvJY9 iq0DhLb6UQbYw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-HMNpXMB6vK27ddQ1Dtzt Content-Type: multipart/mixed; boundary="=-cTv1bCQGArOkSc+1oSbJ" --=-cTv1bCQGArOkSc+1oSbJ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable A suggested blog post is attached. --=-cTv1bCQGArOkSc+1oSbJ Content-Disposition: attachment; filename*0=0001-website-Add-post-about-vulnerability-in-copy-account.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-website-Add-post-about-vulnerability-in-copy-account.patch"; charset="UTF-8" RnJvbSA3OTM3YjlmMTgwODU1NjllNWQ3Y2I4YTNjNGRjMDhlMTA4OGE5NGE5IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxODowMjowNSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdID0/ VVRGLTg/cT93ZWJzaXRlOj0yMEFkZD0yMHBvc3Q9MjBhYm91dD0yMHZ1bG5lcmFiaWxpdHk/PQog PT9VVEYtOD9xPz0yMGluPTIwPUUyPTgwPTk4Y29weS1hY2NvdW50LXNrZWxldG9ucz1FMj04MD05 OS4/PQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9 VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKKiB3ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZDogTmV3IHBvc3QuCi0tLQogd2Vic2l0ZS9wb3N0cy9ob21lLXN5bWxpbmsu bWQgfCAxMDMgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5n ZWQsIDEwMyBpbnNlcnRpb25zKCspCiBjcmVhdGUgbW9kZSAxMDA2NDQgd2Vic2l0ZS9wb3N0cy9o b21lLXN5bWxpbmsubWQKCmRpZmYgLS1naXQgYS93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGluay5t ZCBiL3dlYnNpdGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kCm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu ZGV4IDAwMDAwMDAuLjkyODk4NzAKLS0tIC9kZXYvbnVsbAorKysgYi93ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZApAQCAtMCwwICsxLDEwMyBAQAordGl0bGU6IFJpc2sgb2YgbG9jYWwgcHJp dmlsZWdlIGVzY2FsYXRpb24gaW4gYWNjb3VudCBjcmVhdGlvbgorZGF0ZTogMjAyMS0wNC0wMyAx NzozMAorYXV0aG9yOiBNYXhpbWUgRGV2b3MKK3RhZ3M6IFNlY3VyaXR5IEFkdmlzb3J5CistLS0K KworQSBzZWN1cml0eSB2dWxuZXJhYmlsaXR5IHRoYXQgY2FuIGxlYWQgdG8gbG9jYWwgcHJpdmls ZWdlIGVzY2FsYXRpb24KK2hhcyBiZWVuIGZvdW5kIGluIHRoZSBhY3RpdmF0aW9uIGNvZGUgb2Yg dXNlciBhY2NvdW50cyAoZXhjbHVkaW5nCitzeXN0ZW0gYWNjb3VudHMpLiAgSXQgZG9lcyBub3Qg YWZmZWN0IHVzZXJzIG9uIGZvcmVpZ24gZGlzdHJvcworYW5kIGlzIG9ubHkgZXhwbG9pdGFibGUg ZHVyaW5nIHN5c3RlbSByZWNvbmZpZ3VyYXRpb24uCisKK1RoaXMgZXhwbG9pdCBpcyBfbm90XyBp bXBvc3NpYmxlIG9uIG1hY2hpbmVzIHdoZXJlIHRoZSBMaW51eCBbcHJvdGVjdGVkCitzeW1saW5r c10oaHR0cHM6Ly9zeXNjdGwtZXhwbG9yZXIubmV0L2ZzL3Byb3RlY3RlZF9zeW1saW5rcy8pIGZl YXR1cmUKK2lzIGVuYWJsZWQuICBJdCBpcyBiZWxpZXZlZCB0aGUgYXR0YWNrIGNhbiBhbHNvIGJl IHBlcmZvcm1lZCB1c2luZyBoYXJkCitsaW5rcy4KKworIyBWdWxuZXJhYmlsaXR5CisKK1RoZSBh dHRhY2sgY29uc2lzdHMgb2YgdGhlIHVzZXIgYmVpbmcgbG9nZ2VkIGluIGFmdGVyIHRoZSBhY2Nv dW50Citza2VsZXRvbnMgaGF2ZSBiZWVuIGNvcGllZCB0byB0aGUgaG9tZSBkaXJlY3RvcnksIGJ1 dCBiZWZvcmUgdGhlCitvd25lciBvZiB0aGUgYWNjb3VudCBza2VsZXRvbnMgaGF2ZSBiZWVuIHNl dC4gIFRoZSB1c2VyIHRoZW4gZGVsZXRlcworYSBjb3BpZWQgYWNjb3VudCBza2VsZXRvbiAoZS5n LiBgJEhPTUUvLmdkYmluaXRgKSBhbmQgcmVwbGFjZXMKK2l0IHdpdGggYSBzeW1ib2xpYyBsaW5r IHRvIGEgZmlsZSBub3Qgb3duZWQgYnkgdGhlIHVzZXIsIHN1Y2ggYXMKK2AvZXRjL3NoYWRvd2Au CisKK1RoZSBhY3RpdmF0aW9uIGNvZGUgdGhlbiBjaGFuZ2VzIHRoZSBvd25lcnNoaXAgb2YgdGhl IGZpbGUgdGhlIHN5bWJvbGljCitsaW5rIHBvaW50cyB0byBpbnN0ZWFkIG9mIHRoZSBzeW1ib2xp YyBsaW5rIGl0c2VsZi4gIEF0IHRoYXQgcG9pbnQsIHRoZQordXNlciBoYXMgcmVhZC13cml0ZSBh Y2Nlc3MgdG8gdGhlIHRhcmdldCBmaWxlLgorCisjIEZpeAorCitUaGlzIFtidWddKGh0dHBzOi8v aXNzdWVzLmd1aXguZ251Lm9yZy80NzU4NCkgaGFzIGJlZW4KKzwhLS0gWFhYIGluc2VydCB0aGUg Y29tbWl0IGlkIC0tPgorW2ZpeGVkXShodHRwczovL2dpdC5zYXZhbm5haC5nbnUub3JnL2NnaXQv Z3VpeC5naXQvY29tbWl0Lz9pZD0gWFhYKS4KK1NlZSBiZWxvdyBmb3IgdXBncmFkZSBpbnN0cnVj dGlvbnMuCisKK1RoZSBmaXggY29uc2lzdCBvZiBpbml0aWFsbHkgY3JlYXRpbmcgdGhlIGhvbWUg ZGlyZWN0b3J5IHJvb3Qtb3duZWQgYW5kIG9ubHkKK2NoYW5naW5nIHRoZSBvd25lciBvZiB0aGUg aG9tZSBkaXJlY3Rvcnkgb25jZSBhbGwgc2tlbGV0b25zIGhhdmUgYmVlbiBjb3BpZWQKK2FuZCB0 aGVpciBvd25lciBoYXMgYmVlbiBzZXQuCisKKyMgVXBncmFkaW5nCisKK1RvIHVwZ3JhZGUgdGhl IEd1aXggU3lzdGVtLCBydW4gc29tZXRoaW5nIGxpa2U6CisKK2BgYAorZ3VpeCBwdWxsCitzdWRv IGd1aXggc3lzdGVtIHJlY29uZmlndXJlIC9ydW4vY3VycmVudC1zeXN0ZW0vY29uZmlndXJhdGlv bi5zY20KK3N1ZG8gcmVib290CitgYGAKKworQXMgdGhlIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9u IGNvZGUgaXMgcnVuIGFzIGEgc2hlcGhlcmQgc2VydmljZSwKK3RoZSBsYXN0IHN0ZXAgaXMgcmVx dWlyZWQgdG8gbWFrZSBzdXJlIHRoZSBmaXhlZCBhY3RpdmF0aW9uIGNvZGUKK2lzIHJ1biBpbiB0 aGUgZnV0dXJlLgorCitUbyBhdm9pZCB0aGUgdnVsbmVyYWJpbGl0eSB3aGlsZSB1cGdyYWRpbmcg dGhlIHN5c3RlbSwgb25seSBkZWNsYXJlCituZXcgdXNlciBhY2NvdW50cyBpbiB0aGUgY29uZmln dXJhdGlvbiBmaWxlIGFmdGVyIHRoZSBHdWl4IFN5c3RlbQoraGFzIGJlZW4gdXBncmFkZWQuCisK KyMgQ29uY2x1c2lvbnMKKworVGhlIGFjdGl2YXRpb24gY29kZSBpbiBHdWl4IFN5c3RlbSBvcmln aW5hbGx5IHdhcyB3cml0dGVuIHdpdGggdGhlCithc3N1bXB0aW9uIHRoYXQgbm8gb3RoZXIgY29k ZSB3YXMgcnVubmluZyBhdCB0aGUgc2FtZSB0aW1lIGluIG1pbmQuCitIb3dldmVyLCB0aGlzIGlz IG5vdCBhIHJlYXNvbmFibGUgYXNzdW1wdGlvbiBpbiBwcmFjdGljZSwgYXMgdGhpcwordnVsbmVy YWJpbGl0eSBkZW1vbnN0cmF0ZXMuICBUaHVzLCBpdCBtYXkgYmUgd29ydGh3aGlsZSB0byBsb29r CitvdmVyIG90aGVyIGFjdGl2YXRpb24gY29kZSBmb3Igc2ltaWxhciBpc3N1ZXMuCisKK1doaWxl IGludmVzdGlnYXRpbmcgaG93IHRvIGZpeCB0aGUgaXNzdWUsIGl0IGJlY2FtZSBhcHBhcmVudCBH TlUgR3VpbGUsCit0aGUgaW1wbGVtZW50YXRpb24gb2YgdGhlIEFsZ29yaXRobWljIExhbmd1YWdl IFNjaGVtZSBHTlUgR3VpeCBpcword3JpdHRlbiBpbiwgaXMgbGFja2luZyBpbiBwcmltaXRpdmVz IHRoYXQgdXN1YWxseSBhcmUgdXNlZCB0byBhdm9pZAordGhlc2Uga2luZCBvZiBpc3N1ZXMsIHN1 Y2ggYG9wZW5hdGAgYW5kIGBPX05PRk9MTE9XYC4KKworV2hpbGUgdGhlc2UgcHJpbWl0aXZlcyB0 dXJuZWQgb3V0IG5vdCB0byBiZSBuZWNlc3NhcnkgdG8gZml4IHRoZQoraXNzdWUgYW5kIGEgW3Bh dGNoIHNlcmllc10oPGh0dHBzOi8vbGlzdHMuZ251Lm9yZy9hcmNoaXZlL2h0bWwvZ3VpbGUtZGV2 ZWwvMjAyMS0wMy9tc2cwMDAyNi5odG1sPikKK3RvIEdOVSBHdWlsZSBoYXMgYmVlbiBzdWJtaXR0 ZWQgdGhhdCBhZGRzIHRoZXNlIHByaW1pdGl2ZXMsIHRoaXMgZG9lcworc2VydmUgYXMgYSByZW1h aW5kZXIgdGhhdCBHTlUgR3VpbGUgaXMgYSBjcml0aWNhbCBjb21wb25lbnQgb2YKK0d1aXggU3lz dGVtIGFuZCB3b3JraW5nIGFyb3VuZCBtaXNzaW5nIHByaW1pdGl2ZXMgd2lsbCBub3QgYWx3YXlz IGJlIHBvc3NpYmxlLgorCitUaGlzIGlzc3VlIGlzIHRyYWNrZWQgYXMKK1tidWfCoCM0NzU4NF0o aHR0cHM6Ly9pc3N1ZXMuZ3VpeC5nbnUub3JnLzQ3NTg0KTsgeW91IGNhbiByZWFkIHRoZSB0aHJl YWQKK2ZvciBtb3JlIGluZm9ybWF0aW9uLgorCitQbGVhc2UgcmVwb3J0IGFueSBpc3N1ZXMgeW91 IG1heSBoYXZlIHRvCitbYGd1aXgtZGV2ZWxAZ251Lm9yZ2BdKGh0dHBzOi8vZ3VpeC5nbnUub3Jn L2VuL2NvbnRhY3QvKS4gIFNlZSB0aGUKK1tzZWN1cml0eSB3ZWIgcGFnZV0oaHR0cHM6Ly9ndWl4 LmdudS5vcmcvZW4vc2VjdXJpdHkvKSBmb3IgaW5mb3JtYXRpb24KK29uIGhvdyB0byByZXBvcnQg c2VjdXJpdHkgaXNzdWVzLgorCisjIyMjIEFib3V0IEdOVSBHdWl4CisKK1tHTlUgR3VpeF0oaHR0 cHM6Ly9ndWl4LmdudS5vcmcpIGlzIGEgdHJhbnNhY3Rpb25hbCBwYWNrYWdlIG1hbmFnZXIgYW5k CithbiBhZHZhbmNlZCBkaXN0cmlidXRpb24gb2YgdGhlIEdOVSBzeXN0ZW0gdGhhdCBbcmVzcGVj dHMgdXNlcgorZnJlZWRvbV0oaHR0cHM6Ly93d3cuZ251Lm9yZy9kaXN0cm9zL2ZyZWUtc3lzdGVt LWRpc3RyaWJ1dGlvbi1ndWlkZWxpbmVzLmh0bWwpLgorR3VpeCBjYW4gYmUgdXNlZCBvbiB0b3Ag b2YgYW55IHN5c3RlbSBydW5uaW5nIHRoZSBIdXJkIG9yIHRoZSBMaW51eAora2VybmVsLCBvciBp dCBjYW4gYmUgdXNlZCBhcyBhIHN0YW5kYWxvbmUgb3BlcmF0aW5nIHN5c3RlbSBkaXN0cmlidXRp b24KK2ZvciBpNjg2LCB4ODZfNjQsIEFSTXY3LCBhbmQgQUFyY2g2NCBtYWNoaW5lcy4KKworSW4g YWRkaXRpb24gdG8gc3RhbmRhcmQgcGFja2FnZSBtYW5hZ2VtZW50IGZlYXR1cmVzLCBHdWl4IHN1 cHBvcnRzCit0cmFuc2FjdGlvbmFsIHVwZ3JhZGVzIGFuZCByb2xsLWJhY2tzLCB1bnByaXZpbGVn ZWQgcGFja2FnZSBtYW5hZ2VtZW50LAorcGVyLXVzZXIgcHJvZmlsZXMsIGFuZCBnYXJiYWdlIGNv bGxlY3Rpb24uICBXaGVuIHVzZWQgYXMgYSBzdGFuZGFsb25lCitHTlUvTGludXggZGlzdHJpYnV0 aW9uLCBHdWl4IG9mZmVycyBhIGRlY2xhcmF0aXZlLCBzdGF0ZWxlc3MgYXBwcm9hY2ggdG8KK29w ZXJhdGluZyBzeXN0ZW0gY29uZmlndXJhdGlvbiBtYW5hZ2VtZW50LiAgR3VpeCBpcyBoaWdobHkg Y3VzdG9taXphYmxlCithbmQgaGFja2FibGUgdGhyb3VnaCBbR3VpbGVdKGh0dHBzOi8vd3d3Lmdu dS5vcmcvc29mdHdhcmUvZ3VpbGUpCitwcm9ncmFtbWluZyBpbnRlcmZhY2VzIGFuZCBleHRlbnNp b25zIHRvIHRoZQorW1NjaGVtZV0oaHR0cDovL3NjaGVtZXJzLm9yZykgbGFuZ3VhZ2UuCi0tIAoy LjMxLjEKCg== --=-cTv1bCQGArOkSc+1oSbJ-- --=-HMNpXMB6vK27ddQ1Dtzt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiXTRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7oxTAQCeeZXcTeSkip96gSft8n+eq6/B iZoD91S8vYW1vc4PwAEAku2n5CPJ5b9ZcEXXD8sFCxIHTLEwK7vAJdDShW6F9gU= =6RhR -----END PGP SIGNATURE----- --=-HMNpXMB6vK27ddQ1Dtzt--
bug-guix@HIDDEN
:bug#47584
; Package guix
.
Full text available.Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:22:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:22:23 2021 Received: from localhost ([127.0.0.1]:34357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lSj2V-0002YE-FG for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:22:23 -0400 Received: from xavier.telenet-ops.be ([195.130.132.52]:35302) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lSj2S-0002Y5-SP for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:22:22 -0400 Received: from butterfly.local ([213.132.158.53]) by xavier.telenet-ops.be with bizsmtp id oGNH2400G19Qjf101GNJqU; Sat, 03 Apr 2021 18:22:19 +0200 Message-ID: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos <maximedevos@HIDDEN> To: 47584 <at> debbugs.gnu.org Date: Sat, 03 Apr 2021 18:22:12 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-Bho1bA0qEbYvquJzBgGY" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617466939; bh=zhx1tZKiGadd+nSuCaSDZq+6ra1QLf4mlaIo65WcCEY=; h=Subject:From:To:Date:In-Reply-To:References; b=UQdMOaVCGjmAXbHUw3Evij5B6lPPh8R4Fz1cuT6RJ/jDgcBf8BO0g3ziBflV1Aqgb MopDGPvxaHAn4wiLy4HeGi/oTfNPvhz6UokU+6p+l9jaNFIoQ1i4cOT/GI+lNZOVof hItfsBRZdbIGXaidPjySyMR9STF7iF4jIlHrqkTZW5/9zBKG6a1gKc8fXfBMVl7iAo IpufXEFdhAEnganBjh9yXI5yQGp3x1qh02bfa2zF9fIigu8OKVygtNz/nPv7gWhPMw 2fKCX5nUCJoyE6qV6ZPomaY+TVRmherho1SmdcWdfntlJYSYpe5oFxEx7Li51q2Gc/ RFfCWrinS5zWw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-Bho1bA0qEbYvquJzBgGY Content-Type: multipart/mixed; boundary="=-lwc/tHwdLaQ9m82S74Ju" --=-lwc/tHwdLaQ9m82S74Ju Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Patch is attached. The committer will need to change the commit id appropriately. --=-lwc/tHwdLaQ9m82S74Ju Content-Disposition: attachment; filename*0=0001-activation-Do-not-dereference-symlinks-in-home-direc.pat; filename*1=ch Content-Type: text/x-patch; name="0001-activation-Do-not-dereference-symlinks-in-home-direc.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA5NjcyYmQzN2JmNTBkYjFlMDk4OWQwYjg0MDM1YzQ3ODg0MjJiZDMxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFR1ZSwgMzAgTWFyIDIwMjEgMjI6MzY6MTQgKzAyMDAKU3ViamVjdDogW1BBVENIIDEv Ml0gYWN0aXZhdGlvbjogRG8gbm90IGRlcmVmZXJlbmNlIHN5bWxpbmtzIGluIGhvbWUgZGlyZWN0 b3J5CiBjcmVhdGlvbi4KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWlu OyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCkZpeGVzIDxo dHRwczovL2J1Z3MuZ251Lm9yZy80NzU4ND4uCgoqIGdudS9idWlsZC9hY3RpdmF0aW9uLnNjbQog IChjb3B5LWFjY291bnQtc2tlbGV0b25zKTogRG8gbm90IGNob3duIHRoZSBob21lIGRpcmVjdG9y eTsgbGVhdmUgdGhpcwogIHRvICdhY3RpdmF0ZS11c2VyLWhvbWUnLgogIChhY3RpdmF0ZS11c2Vy LWhvbWUpOiBPbmx5IGNob3duIHRoZSBob21lIGRpcmVjdG9yeSBhZnRlciB0aGUgYWNjb3VudAog IHNrZWxldG9ucyBoYXZlIGJlZW4gY29waWVkLgoKQ28tYXV0aG9yZWQtYnk6IEx1ZG92aWMgQ291 cnTDqHMgPGx1ZG9AZ251Lm9yZz4uCi0tLQogZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtIHwgMTIg KysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9u cygtKQoKZGlmZiAtLWdpdCBhL2dudS9idWlsZC9hY3RpdmF0aW9uLnNjbSBiL2dudS9idWlsZC9h Y3RpdmF0aW9uLnNjbQppbmRleCA2Y2I2Zjg4MTliLi40M2Q5NzNkM2RhIDEwMDY0NAotLS0gYS9n bnUvYnVpbGQvYWN0aXZhdGlvbi5zY20KKysrIGIvZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtCkBA IC0xMDcsNyArMTA3LDggQEAgV2FybmluZzogdGhpcyBpcyBjdXJyZW50bHkgc3VzcGVjdCB0byBh IFRPQ1RUT1UgcmFjZSEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoZGlyZWN0 b3J5ICVza2VsZXRvbi1kaXJlY3RvcnkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB1aWQgZ2lkKQogICAiQ29weSB0aGUgYWNjb3VudCBza2VsZXRvbnMgZnJvbSBESVJFQ1RPUlkg dG8gSE9NRS4gIFdoZW4gVUlEIGlzIGFuIGludGVnZXIsCi1tYWtlIGl0IHRoZSBvd25lciBvZiBh bGwgdGhlIGZpbGVzIGNyZWF0ZWQ7IGxpa2V3aXNlIGZvciBHSUQuIgorbWFrZSBpdCB0aGUgb3du ZXIgb2YgYWxsIHRoZSBmaWxlcyBjcmVhdGVkIGV4Y2VwdCB0aGUgaG9tZSBkaXJlY3Rvcnk7IGxp a2V3aXNlCitmb3IgR0lELiIKICAgKGRlZmluZSAoc2V0LW93bmVyIGZpbGUpCiAgICAgKHdoZW4g KG9yIHVpZCBnaWQpCiAgICAgICAoY2hvd24gZmlsZSAob3IgdWlkIC0xKSAob3IgZ2lkIC0xKSkp KQpAQCAtMTE1LDcgKzExNiw2IEBAIG1ha2UgaXQgdGhlIG93bmVyIG9mIGFsbCB0aGUgZmlsZXMg Y3JlYXRlZDsgbGlrZXdpc2UgZm9yIEdJRC4iCiAgIChsZXQgKChmaWxlcyAoc2NhbmRpciBkaXJl Y3RvcnkgKG5lZ2F0ZSBkb3Qtb3ItZG90LWRvdD8pCiAgICAgICAgICAgICAgICAgICAgICAgICBz dHJpbmc8PykpKQogICAgIChta2Rpci1wIGhvbWUpCi0gICAgKHNldC1vd25lciBob21lKQogICAg IChmb3ItZWFjaCAobGFtYmRhIChmaWxlKQogICAgICAgICAgICAgICAgIChsZXQgKCh0YXJnZXQg KHN0cmluZy1hcHBlbmQgaG9tZSAiLyIgZmlsZSkpKQogICAgICAgICAgICAgICAgICAgKGNvcHkt cmVjdXJzaXZlbHkgKHN0cmluZy1hcHBlbmQgZGlyZWN0b3J5ICIvIiBmaWxlKQpAQCAtMjE1LDEw ICsyMTUsMTQgQEAgdGhleSBhbHJlYWR5IGV4aXN0LiIKICAgICAgICAgICAgICAgICAgKHVpZCAo cGFzc3dkOnVpZCBwdykpCiAgICAgICAgICAgICAgICAgIChnaWQgKHBhc3N3ZDpnaWQgcHcpKSkK ICAgICAgICAgICAgIChta2Rpci1wIGhvbWUpCi0gICAgICAgICAgICAoY2hvd24gaG9tZSB1aWQg Z2lkKQogICAgICAgICAgICAgKGNobW9kIGhvbWUgI283MDApCiAgICAgICAgICAgICAoY29weS1h Y2NvdW50LXNrZWxldG9ucyBob21lCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAjOnVpZCB1aWQgIzpnaWQgZ2lkKSkpKSkpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAjOnVpZCB1aWQgIzpnaWQgZ2lkKQorICAgICAgICAgICAgOzsgSXQgaXMgaW1wb3J0 YW50ICdjaG93bicgaXMgY2FsbGVkIGFmdGVyICdjb3B5LWFjY291bnQtc2tlbGV0b25zJworICAg ICAgICAgICAgOzsgT3RoZXJ3aXNlLCBhIG1hbGljaW91cyB1c2VyIHdpdGggZ29vZCB0aW1pbmcg Y291bGQKKyAgICAgICAgICAgIDs7IGNyZWF0ZSBhIHN5bWxpbmsgaW4gSE9NRSB0aGF0IHdvdWxk IGJlIGRlcmVmZXJlbmNlZCBieQorICAgICAgICAgICAgOzsgJ2NvcHktYWNjb3VudC1za2VsZXRv bnMnLgorICAgICAgICAgICAgKGNob3duIGhvbWUgdWlkIGdpZCkpKSkpKQogCiAgIChmb3ItZWFj aCBlbnN1cmUtdXNlci1ob21lIHVzZXJzKSkKIAotLSAKMi4zMS4xCgo= --=-lwc/tHwdLaQ9m82S74Ju Content-Disposition: attachment; filename*0=0002-news-Add-entry-for-user-account-activation-vulnerabi.pat; filename*1=ch Content-Type: text/x-patch; name="0002-news-Add-entry-for-user-account-activation-vulnerabi.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBkMDcxZWUzYWZmNWJlMWE2ZDc4NzZkNzQxMWU3MGY3MjgzZGNlMWZiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxMjoxOToxMCArMDIwMApTdWJqZWN0OiBbUEFUQ0ggMi8y XSBuZXdzOiBBZGQgZW50cnkgZm9yIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9uCiB2dWxuZXJhYmls aXR5LgoKVE9ETyBmb3IgZ3VpeCBjb21taXR0ZXI6IGNvcnJlY3QgdGhlIGNvbW1pdCBpZCBhcHBy b3ByaWF0ZWx5LgoKKiBldGMvbmV3cy5zY206IEFkZCBlbnRyeS4KLS0tCiBldGMvbmV3cy5zY20g fCAxNyArKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKykK CmRpZmYgLS1naXQgYS9ldGMvbmV3cy5zY20gYi9ldGMvbmV3cy5zY20KaW5kZXggZGVlZGM2OWY2 ZS4uMGNjOWMxODNhMCAxMDA2NDQKLS0tIGEvZXRjL25ld3Muc2NtCisrKyBiL2V0Yy9uZXdzLnNj bQpAQCAtMTIsNiArMTIsNyBAQAogOzsgQ29weXJpZ2h0IMKpIDIwMjAsIDIwMjEgTWF4aW0gQ291 cm5veWVyIDxtYXhpbS5jb3Vybm95ZXJAZ21haWwuY29tPgogOzsgQ29weXJpZ2h0IMKpIDIwMjEg TGVvIEZhbXVsYXJpIDxsZW9AZmFtdWxhcmkubmFtZT4KIDs7IENvcHlyaWdodCDCqSAyMDIxIFpo dSBaaWhhbyA8YWxsX2J1dF9sYXN0QDE2My5jb20+Cis7OyBDb3B5cmlnaHQgwqkgMjAyMSBNYXhp bWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+CiA7OwogOzsgQ29weWluZyBhbmQgZGlz dHJpYnV0aW9uIG9mIHRoaXMgZmlsZSwgd2l0aCBvciB3aXRob3V0IG1vZGlmaWNhdGlvbiwgYXJl CiA7OyBwZXJtaXR0ZWQgaW4gYW55IG1lZGl1bSB3aXRob3V0IHJveWFsdHkgcHJvdmlkZWQgdGhl IGNvcHlyaWdodCBub3RpY2UgYW5kCkBAIC0yMCw2ICsyMSwyMiBAQAogKGNoYW5uZWwtbmV3cwog ICh2ZXJzaW9uIDApCiAKKyA7OyBYWFggdG8gZ3VpeCBjb21taXR0ZXJzOiB0aGlzIGNvbW1pdCBs aWtlbHkgbmVlZHMgdG8gYmUgY2hhbmdlZC4KKyAoZW50cnkgKGNvbW1pdCAiOTY3MmJkMzdiZjUw ZGIxZTA5ODlkMGI4NDAzNWM0Nzg4NDIyYmQzMSIpCisgICAgICAgICh0aXRsZQorICAgICAgICAg KGVuICJSaXNrIG9mIGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IGNyZWF0aW9uIG9mIG5l dyB1c2VyIGFjY291bnRzIikpCisgICAgICAgIChib2R5CisgICAgICAgICAoZW4gIkEgc2VjdXJp dHkgdnVsbmVyYWJpbGl0eSB0aGF0IGNhbiBsZWFkIHRvIGxvY2FsIHByaXZpbGVnZQorZXNjYWxh dGlvbiBoYXMgYmVlbiBmb3VuZCBpbiB0aGUgYWN0aXZhdGlvbiBjb2RlIG9mIHVzZXIgYWNjb3Vu dHMuICBUaGUKK3N5c3RlbSBpcyBvbmx5IHZ1bG5lcmFibGUgZHVyaW5nIHRoZSBhY3RpdmF0aW9u IG9mIHVzZXIgYWNjb3VudHMgKGluY2x1ZGluZworc3lzdGVtIGFjY291bnRzKSB0aGF0IGRvIG5v dCBhbHJlYWR5IGV4aXN0LgorCitUaGUgYXR0YWNrIGNvbnNpc3RzIG9mIHRoZSB1c2VyIGxvZ2dp bmcgaW4gYWZ0ZXIgdGhlIHVzZXIncyBob21lIGRpcmVjdG9yeQoraGFzIGJlZW4gY3JlYXRlZCwg YnV0IGJlZm9yZSB0aGUgYWN0aXZhdGlvbiBvZiB0aGUgdXNlciBoYXMgYmVlbiBjb21wbGV0ZWQs CitieSBjcmVhdGluZyBhbiBhcHByb3ByaWF0ZWx5IG5hbWVkIHN5bWJvbGljIGxpbmsgaW4gdGhl IGhvbWUgZGlyZWN0b3J5Citwb2ludGluZyB0byBhIHNlbnNpdGl2ZSBmaWxlLCBzdWNoIGFzIEBm aWxley9ldGMvc2hhZG93fS4KKworU2VlIEB1cmVme2h0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9y Zy80NzU4NH0gZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gdGhpcyBidWcuIikpKQogIChlbnRyeSAo Y29tbWl0ICI5YWRlMmI3MjBhZjkxYWNlY2Y3NjI3OGI0ZDliOTlhY2U0MDY3ODFlIikKICAgICAg ICAgKHRpdGxlCiAgICAgICAgICAoZW4gIlVwZGF0ZSBvbiBwcmV2aW91cyBAY29tbWFuZHtndWl4 LWRhZW1vbn0gbG9jYWwgcHJpdmlsZWdlIGVzY2FsYXRpb24iKQotLSAKMi4zMS4xCgo= --=-lwc/tHwdLaQ9m82S74Ju-- --=-Bho1bA0qEbYvquJzBgGY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiWNBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7q/qAQDT5qc+LRzX3U7kyva91ZSwtcAb QiyWn0hoKcCM7ADQLwEAttCr+4GQJnhmgUGMN3dBqaJLg6XXwxcOGFg03XJxhAU= =Y7kQ -----END PGP SIGNATURE----- --=-Bho1bA0qEbYvquJzBgGY--
bug-guix@HIDDEN
:bug#47584
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 3 Apr 2021 16:09:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:09:42 2021 Received: from localhost ([127.0.0.1]:34340 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lSiqE-0002Cl-Ga for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:09:42 -0400 Received: from lists.gnu.org ([209.51.188.17]:38296) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lSiqC-0002Cc-0z for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:09:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lSiq8-0006Gb-1b for bug-guix@HIDDEN; Sat, 03 Apr 2021 12:09:38 -0400 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:55356) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lSiq2-0005Pv-0v for bug-guix@HIDDEN; Sat, 03 Apr 2021 12:09:35 -0400 Received: from butterfly.local ([213.132.158.53]) by andre.telenet-ops.be with bizsmtp id oG9N2400A19Qjf101G9Ppo; Sat, 03 Apr 2021 18:09:23 +0200 Message-ID: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN> Subject: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos <maximedevos@HIDDEN> To: bug-guix@HIDDEN Date: Sat, 03 Apr 2021 18:09:16 +0200 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-dbxZ7pU2+iz3DVCXnVex" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617466163; bh=Wc2nYGPfvJRxWlFIhxd7xBBDHNTSegovXy8fTwBZQKU=; h=Subject:From:To:Date; b=sl6ikeK39CFtUYOQts38qeioSJL/9Io2+VA5tiCnoysDw9KPeO+2voA4OhvNEg03I Gho4iIX+K8phwgMYaKyJXgX9Xz3DnoFJ8fdXOQDZPNaVO2Bo1lFQkOBcKq4eiI0ik4 mM9pcjjJR8l0ZnMY0mEaOw8iBvF0XsBIYbQkKwmEkWE+FvlRpaZCM56DudDA+EO5tY rTxsxVp3LITeE/yzbYH/MKI0QAk+SJK6rNWVKoctg6LBM32Z6KBHJXrzNt993QqPL7 akdIuYmC0LBDoz5GG5HnWEoZxLmhuKnrTeG9JE9WlEnW0KP+YqRsav4Bi0DwA0ax7k qi1lNJ3JmNzhA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@HIDDEN; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-dbxZ7pU2+iz3DVCXnVex Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable A TOCTTOU (time-of-check to time-of-use) vulnerability has been found in the activation code of user accounts, more specifically in the code that copies the account skeletons. * Vulnerability The attack consists of the user being logged in after the account skeletons have been copied to the home directory, but before the owner of the account skeletons have been set. The user then deletes a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces it with a symbolic link to a file not owned by the user, such as @file{/etc/shadow}. The activation code then changes the ownership of the file the symbolic link points to instead of the symbolic link itself. At that point, the user has read-write access to the target file. * Where in the code does this happen? Module: (gnu build activation). Procedures: 'copy-account-skeletons' and 'activate-user-home'. 'copy-account-skeletons' creates the home directory, sets it owner, copies the account skeletons, and chowns the copied skeletons, in that order. The bug is that it dereferences symbolic links. It is called from 'activate-user-home' if the home directory does not already exist. * Fix The fix consist of initially creating the home directory root-owned and onl= y changing the owner of the home directory once all skeletons have been copie= d and their owner has been set. * Extra notes A blog post, a news entry and a fix have been prepared and will be posted and hopefully merged soon. The following tests succeeded: $ make check-system TESTS=3D'switch-to-system upgrade-services install-boot= loader basic' $ make check --=-dbxZ7pU2+iz3DVCXnVex Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiTLBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sOVAQDo/Y4CM3KbVCPqLFr/YOjdA6T2 tOoO8lB90ciLuXdB+AEAtWcTB6Y5+G8r2Dbp6bl2HnFHILDSNQns1H/c80B67A0= =xuhu -----END PGP SIGNATURE----- --=-dbxZ7pU2+iz3DVCXnVex--
Maxime Devos <maximedevos@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#47584
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.