forked from lix-project/lix
jade
dcc7ea5498
Also fix typos introduced by the commits I read.
I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.
Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
22 lines
1,023 B
Markdown
22 lines
1,023 B
Markdown
---
|
|
synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
|
|
cls: 266
|
|
credits: [puck, jade, thufschmitt, tomberek, valentin]
|
|
category: Fixes
|
|
---
|
|
|
|
Since Lix fixed-output derivations run in the host network namespace (which we
|
|
wish to change in the future, see
|
|
[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
|
|
abstract-namespace Unix sockets to each other and to programs on the host. Lix
|
|
contained a now-fixed time-of-check/time-of-use vulnerability where one
|
|
derivation could send writable handles to files in their final location in the
|
|
store to another over an abstract-namespace Unix socket, exit, then the other
|
|
derivation could wait for Lix to hash the paths and overwrite them.
|
|
|
|
The impact of this vulnerability is that two malicious fixed-output derivations
|
|
could create a poisoned path for the sources to Bash or similarly important
|
|
software containing a backdoor, leading to local privilege execution.
|
|
|
|
CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
|