Unverified Commit 633a3b8f authored by Christina Sørensen's avatar Christina Sørensen
Browse files

guix: build user takeover patch 

guix has recently announced a security vulnerability that allows
local users to gain priveleges of build users, and further manipulate
output of any build (including with setguid).

This commit fixes the issue by backporting the remediation commits pushed to
guix main to 1.4.0 as a patch.

Users will still have to reboot and follow other remediation steps as
described in the guix blogpost.

Refs: https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/


Signed-off-by: default avatarChristina Sørensen <christina@cafkafk.com>
parent 42fee36c

pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch

0 → 100644
+42 −0
Original line number Diff line number Diff line 
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc

index c5383bc..50d1abc 100644

--- a/nix/libstore/build.cc

+++ b/nix/libstore/build.cc

@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()

         Path actualPath = path;

         if (useChroot) {

             actualPath = chrootRootDir + path;

-            if (pathExists(actualPath)) {

-                /* Move output paths from the chroot to the store. */

-                if (buildMode == bmRepair)

-                    replaceValidPath(path, actualPath);

-                else

-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)

-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);

-            }

-            if (buildMode != bmCheck) actualPath = path;

         } else {

             Path redirected = redirectedOutputs[path];

             if (buildMode == bmRepair

@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()

                something like that. */

             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);

 

+            if (useChroot) {

+                if (pathExists(actualPath)) {

+                    /* Now that output paths have been canonicalized (in particular

+                    there are no setuid files left), move them outside of the

+                    chroot and to the store. */

+                    if (buildMode == bmRepair)

+                        replaceValidPath(path, actualPath);

+                    else

+                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)

+                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);

+                }

+                if (buildMode != bmCheck) actualPath = path;

+            }

+

+

             /* FIXME: this is in-memory. */

             StringSink sink;

             dumpPath(actualPath, sink);

pkgs/by-name/gu/guix/package.nix

+3 −0
Original line number Diff line number Diff line
@@ -57,6 +57,9 @@ stdenv.mkDerivation rec { 
      url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";

      hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";

    })

    # manual port of build user takeover remediation commit

    # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability

    ./guix-build-user-takeover-fix.patch

  ];



  postPatch = ''