diff options
| author | Reepca Russelstein <reepca@russelstein.xyz> | 2024-10-20 17:32:23 -0500 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2024-10-21 01:26:14 +0200 |
| commit | c9e51ab38d23d8c7a5546824375c6274a569499f (patch) | |
| tree | 378d6ac96c5aa88597ecdbaa085c8aae33269bb7 | |
| parent | 5966e0fdc78771c562e0f484a22f381a77908be0 (diff) | |
news: Add news entry for build user takeover vulnerability fix.
* etc/news.scm: add entry about build user takeover vulnerability.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: I469e368914681e599252e766cd30100d5a377257
| -rw-r--r-- | etc/news.scm | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/etc/news.scm b/etc/news.scm index a90f92a9ff..3fb53a9849 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -33,6 +33,38 @@ (channel-news (version 0) + (entry (commit "5966e0fdc78771c562e0f484a22f381a77908be0") + (title + (en "Daemon vulnerability allowing takeover of build users fixed")) + (body + (en "A vulnerability allowing a local user to execute arbitrary code +as any of the build users has been identified and fixed. Most notably, this +allows any local user to alter the result of any local build, even if it +happens inside a container. The only requirements to exploit this +vulnerability are the ability to start a derivation build and the ability to +run arbitrary code with access to the store in the root PID namespace on the +machine that build occurs on. This largely limits the vulnerability to +multi-user systems. + +This vulnerability is caused by the fact that @command{guix-daemon} does not +change ownership and permissions on the outputs of failed builds when it moves +them to the store, and is also caused by there being a window of time between +when it moves outputs of successful builds to the store and when it changes +their ownership and permissions. Because of this, a build can create a binary +with both setuid and setgid bits set and have it become visible to the outside +world once the build ends. At that point any process that can access the +store can execute it and gain the build user's privileges. From there any +process owned by that build user can be manipulated via procfs and signals at +will, allowing the attacker to control the output of its builds. + +You are advised to upgrade @command{guix-daemon}. Run @command{info \"(guix) +Upgrading Guix\"}, for info on how to do that. Additionally, if there is any +risk that a builder may have already created these setuid binaries (for +example on accident), run @command{guix gc} to remove all failed build +outputs. + +See @uref{https://issues.guix.gnu.org/73919} for more information on this +vulnerability."))) (entry (commit "2fae63df2138b74d30e120364f0f272871595862") (title (en "Core packages updated") |