GNU bug report logs - #69777
Please add a test for CVE-2024-27297

Previous Next

Package: guix;

Reported by: Vagrant Cascadian <vagrant <at> debian.org>

Date: Wed, 13 Mar 2024 15:31:02 UTC

Severity: normal

To reply to this bug, email your comments to 69777 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#69777; Package guix. (Wed, 13 Mar 2024 15:31:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Vagrant Cascadian <vagrant <at> debian.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 13 Mar 2024 15:31:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: bug-guix <at> gnu.org
Subject: Please add a test for CVE-2024-27297
Date: Wed, 13 Mar 2024 08:29:36 -0700

[Message part 1 (text/plain, inline)]
It would be really nice, especially for downstream distributors, if
there was a test for CVE-2024-27297.

There is working code to test this in the excellent blog post on the
subject, which is a likely good starting point!

  https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/

Super extra bonus points if the test is backwards compatible with guix
1.4 and 1.2 :)

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#69777; Package guix. (Wed, 13 Mar 2024 23:12:01 GMT) Full text and rfc822 format available.

Message #8 received at 69777 <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: 69777 <at> debbugs.gnu.org
Subject: Re: Please add a test for CVE-2024-27297
Date: Wed, 13 Mar 2024 16:10:13 -0700

[Message part 1 (text/plain, inline)]
On 2024-03-13, Vagrant Cascadian wrote:
> It would be really nice, especially for downstream distributors, if
> there was a test for CVE-2024-27297.
>
> There is working code to test this in the excellent blog post on the
> subject, which is a likely good starting point!
>
>   https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/
>
> Super extra bonus points if the test is backwards compatible with guix
> 1.4 and 1.2 :)

FWIW, the reproducer from the blog is not working for me with guix 1.2:

guix build -f guix-cve-2024-27297 -M4
/home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host
/home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
The following derivations will be built:
   /gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv
   /gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv
   /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv
   /gnu/store/m1ln7m49qrd5jbg0rhjwgb3p5v4iqv1p-derivation-that-grabs-fd-65f22e2a-11731.drv
   /gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv
building /gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv...
building /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv...
Backtrace:
           4 (primitive-load "/gnu/store/2vg1l5pb6jgbrg3iivzj01gl0n8?")
In ice-9/eval.scm:
    619:8  3 (_ #f)
   191:27  2 (_ #f)
   223:20  1 (proc #<directory (guile-user) 7ffff5bb7f00>)
In unknown file:
           0 (%resolve-variable (7 . load-profile) #<directory (guil?>)

ERROR: In procedure %resolve-variable:
Unbound variable: load-profile
Backtrace:
           4 (primitive-load "/gnu/store/c4a9kl1p4xs8fmw2w5smaim04cy?")
In ice-9/eval.scm:
    619:8  3 (_ #f)
   191:27  2 (_ #f)
   223:20  1 (proc #<directory (guile-user) 7ffff5bb7f00>)
In unknown file:
           0 (%resolve-variable (7 . load-profile) #<directory (guil?>)


ERROR: In procedure %resolve-variable:
Unbound variable: load-profile
builder for `/gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv' failed with exit code 1
build of /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv failed
View build log at '/var/log/guix/drvs/nd/ny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv.bz2'.
cannot build derivation `/gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv': 1 dependenc
ies couldn't be built
cannot build derivation `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv': 1 dependencies couldn't be bui
lt
guix build: error: build of `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv' failed


I guess I can try "guix pull" to something current to run it...

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 1 year and 22 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.