libgit2 1.4.3 directory owner validation breaks Guix

OpenSubmitted by André Batista.
Details
3 participants
  • Ludovic Courtès
  • Maxime Devos
  • André Batista
Owner
unassigned
Severity
important
A
A
André Batista wrote on 13 May 17:21 +0200
guix system reconfigure fails on channel validation
(address . bug-guix@gnu.org)
Yn53d4GR+kohZh/b@andel
Hello Guix!

Recently, I've not been able to reconfigure some of my guix systems
because guix fails to forward validate the commits in between the
current system deployment and the newer one. This appears to be
related to the new libgit2 version 1.4.3[1][2], which addressed CVE
2022-24765, since there was no change to the related guix routines
on the time lapse since the last deploy.

This is the error I'm getting:

$ sudo guix system --fallback -c 3 -M 3 reconfigure myconfig.scm
Backtrace:
19 (primitive-load "/home/user/.config/guix/current/bin/g?")
In guix/ui.scm:
2230:7 18 (run-guix . _)
2193:10 17 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1752:10 16 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
829:3 15 (_)
809:4 14 (call-with-status-report _ _)
In guix/scripts/system.scm:
1253:4 13 (_)
In ice-9/boot-9.scm:
1752:10 12 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
658:37 11 (thunk)
1320:8 10 (call-with-build-handler #<procedure b445f18 at guix/u?> ?)
2129:25 9 (run-with-store #<store-connection 256.99 b0934d8> _ # _ ?)
In guix/scripts/system.scm:
1277:15 8 (_ _)
819:5 7 (perform-action reconfigure #<<image> name: #f format:?> ?)
In guix/scripts/system/reconfigure.scm:
345:3 6 (check-forward-update _ #:current-channels _)
In srfi/srfi-1.scm:
691:23 5 (filter-map #<procedure ba4c460 at guix/scripts/syst?> . #)
In guix/scripts/system/reconfigure.scm:
352:37 4 (_ #<<channel> name: guix url: "/src/guix.git" branch: ?>)
In guix/git.scm:
469:7 3 (update-cached-checkout _ #:ref _ #:recursive? _ # _ # _ ?)
In git/bindings.scm:
77:2 2 (raise-git-error _)
In ice-9/boot-9.scm:
1685:16 1 (raise-exception _ #:continuable? _)
1685:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Git error: repository path '/src/guix.git/' is not owned by current user


-----

And these are the commits being compared:

$ guix system describe
Generation 214 May 06 2022 22:47:43 (current)
file name: /var/guix/profiles/system-214-link
canonical file name: /gnu/store/b0wrzz8sxqi9hywpqz29cm73l9adxjy9-system
label: GNU with Linux-Libre-Atom 5.17.5
bootloader: grub
root device: label: "rootfs"
kernel: /gnu/store/xmdskyk85sypr4wgf5iwg5iid08l4aiq-linux-libre-atom-5.17.5/bzImage
channels:
guix:
repository URL: /src/guix.git
branch: master
commit: ee70ed5bf50e781a6a43985211aa763e28db62b9
configuration file: /gnu/store/g653hksfz0iwnbpynaq2mx4nv7ayb7r7-configuration.scm


$ guix describe
Generation 200 May 12 2022 13:48:01 (current)
guix a1cb645
repository URL: /src/guix.git
branch: master
commit: a1cb645d83d085382eaf64f4c097642aa47c297a

Any thoughts?

M
M
Maxime Devos wrote on 13 May 17:26 +0200
1f9a73621562c5fe96a0d254aef893f95ab33ff0.camel@telenet.be
André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
Toggle quote (2 lines)
> Any thoughts?

For now, let 'guile-git' use the libgit2-1.3 variant, look into
relaxing the ‘is owned by’ check later?

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn54jBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7m4iAPoCZrJ2G9KOnpQMrRr0NRkW6KMp
d8HjPHGZlNWtk466eQD/ZG3OedO6KSPKmWu7im29bg1CI4Ntuo3DfL3YkwHakAo=
=VcFh
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 13 May 17:28 +0200
c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be
André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
Toggle quote (2 lines)
> Any thoughts?

According to
the ownership check can be relaxed by setting an option. The guile-
git library would need to be adjusted to support the option though.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn55HRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sCyAQDfwyWmtyToJRDlZV70quA6O2XJ
q55xtkI/mmttol638gEAr8O7Qb6uM7vbIM0oSQRHJgNiJVKatgfUAHipcnWC3Ak=
=Fxlz
-----END PGP SIGNATURE-----


A
A
André Batista wrote on 18 May 19:38 +0200
Re: bug#55399: Temporary fix
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 55399@debbugs.gnu.org)
YoUvHJ24iYDBrO9v@andel
Hi Maxime!

sex 13 mai 2022 �s 17:28:29 (1652473709), maximedevos@telenet.be enviou:
Toggle quote (8 lines)
> Andr� Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> > Any thoughts?
>
> According to
> <https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb112987443916cdedcfc8e274121e9d>,
> the ownership check can be relaxed by setting an option. The guile-
> git library would need to be adjusted to support the option though.

Thanks for your pointers. I've only had a substitute* hammer and this
certainly seemed like a loose nail, so I've hammered my way through.

The patch bellow addresses the issue on guix side only and it was
applied/tested locally before b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab
So this later commit would need to be reverted, otherwise guix will
not use the new libgit2 v1.4.3 anyway.

Anyway, the proper think to do is to update guile-git, so I'll be
opening an issue there.

Happy hacking!
From 370bf9bec714747244da00a7fd793da04c49c523 Mon Sep 17 00:00:00 2001
In-Reply-To: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
References: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Tue, 17 May 2022 19:18:49 -0300
Subject: [PATCH] guix/git: Disable owner validation when updating cache.
To: 55399@debbugs.gnu.org
Cc: maximedevos@telenet.be

---
gnu/packages/guile.scm | 40 +++++++++++++++++++++++++++++++++++++++-
guix/git.scm | 3 +++
2 files changed, 42 insertions(+), 1 deletion(-)

Toggle diff (70 lines)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9d58c8d4cd..b120f3eefe 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -816,6 +816,44 @@ (define-public guile-git
               (sha256
                (base32
                 "11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (substitute* "git/settings.scm"
+                    (("set-user-agent!))")
+                     (string-append "set-user-agent!\n"
+                                    "            set-owner-validation!))"))
+                    (("GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)" m)
+                     (string-append m "\n" "(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)"))
+
+                    (("(GIT_OPT_SET_SSL_CIPHERS).*" _ m)
+                     (string-append m " 16)\n"))
+
+                    (("(GIT_OPT_GET_USER_AGENT).*" _ m)
+                     (string-append m " 17)\n"
+                       "(define GIT_OPT_ENABLE_OFS_DELTA 18)\n"
+                       "(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)\n"
+                       "(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)\n"
+                       "(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)\n"
+                       "(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)\n"
+                       "(define GIT_OPT_SET_ALLOCATOR 23)\n"
+                       "(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)\n"
+                       "(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)\n"
+                       "(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)\n"
+                       "(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)\n"
+                       "(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)\n"
+                       "(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)\n"
+                       "(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)\n"
+                       "(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)\n"
+                       "(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)\n"
+                       "(define GIT_OPT_GET_EXTENSIONS 33)\n"
+                       "(define GIT_OPT_SET_EXTENSIONS 34)\n"
+                       "(define GIT_OPT_GET_OWNER_VALIDATION 35)\n"
+                       "(define GIT_OPT_SET_OWNER_VALIDATION 36)\n\n"
+                       "(define set-owner-validation!\n"
+                       "  (let  ((proc (libgit2->procedure* \"git_libgit2_opts\" (list int int))))\n"
+                       "    (lambda* (owner-validation)\n"
+                       "     (proc GIT_OPT_SET_OWNER_VALIDATION owner-validation))))\n")))))
               (patches (search-patches
                         "guile-git-adjust-for-libgit2-1.2.0.patch"))))
     (build-system gnu-build-system)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..ced6a9c62c 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -23,6 +23,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +464,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))))
+     ;; Disable owner validation for local repos see #55399
+     (set-owner-validation! 0)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
L
L
Ludovic Courtès wrote 4 days ago
Re: bug#55399: guix system reconfigure fails on channel validation
(name . André Batista)(address . nandre@riseup.net)
87a6b85o37.fsf_-_@gnu.org
Hi André,

André Batista <nandre@riseup.net> skribis:

Toggle quote (3 lines)
> Anyway, the proper think to do is to update guile-git, so I'll be
> opening an issue there.

Yes please! You pretty much already have the code, so we could put
together a new Guile-Git release instead of carrying these modifications
in Guix proper.

(For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

Thanks!

Ludo’.
L
L
Ludovic Courtès wrote 4 days ago
control message for bug #55399
(address . control@debbugs.gnu.org)
878rqs5o0m.fsf@gnu.org
retitle 55399 libgit2 1.4.3 directory owner validation breaks Guix
quit
L
L
Ludovic Courtès wrote 4 days ago
(address . control@debbugs.gnu.org)
877d6c5o0h.fsf@gnu.org
severity 55399 important
quit
A
A
André Batista wrote 4 days ago
Re: bug#55399: guix system reconfigure fails on channel validation
(name . Ludovic Courtès)(address . ludo@gnu.org)
Yow4dwnY1SdpL3qm@andel
Hi!

seg 23 mai 2022 �s 16:18:52 (1653333532), ludo@gnu.org enviou:
Toggle quote (4 lines)
> Yes please! You pretty much already have the code, so we could put
> together a new Guile-Git release instead of carrying these modifications
> in Guix proper.

A
A
André Batista wrote 3 days ago
(name . Ludovic Courtès)(address . ludo@gnu.org)
Yo1tzQLys4R8aAyA@andel
Hi again,

seg 23 mai 2022 às 16:18:52 (1653333532), ludo@gnu.org enviou:
Toggle quote (4 lines)
> ...
> (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

After upgrading guile-git, the attached patches disables owner
validation and reverts the above commit which made Guix's guile-git
depend on libgit2 1.3 instead of latest.

Cheers!
From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:17 -0300
Subject: [PATCH] guix: Disable owner validation when updating cached checkout

* guix/git.scm (update-cached-checkout): Disable owner validation
checks.
---
guix/git.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (29 lines)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..d5e12188a2 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2021 Kyle Meyer <kyle@kyleam.com>
 ;;; Copyright © 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2022 André Batista <nandre@riseup.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (define-module (guix git)
   #:use-module (git)
   #:use-module (git object)
+  #:use-module (git settings)
   #:use-module (git submodule)
   #:use-module (guix i18n)
   #:use-module (guix base32)
@@ -463,6 +465,8 @@ (define canonical-ref
           (repository    (if cache-exists?
                              (repository-open cache-directory)
                              (clone/swh-fallback url ref cache-directory))))
+     ;; Disable owner validation. See <https://issues.guix.gnu.org/55399>.
+     (set-owner-validation! #f)
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
--
2.36.0
From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:18 -0300
Subject: [PATCH] gnu: guile-git: Use latest libgit2

* gnu/packages/guile.scm (guile-git) [inputs]: Use latest libgit2.
Reverts commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab.
---
gnu/packages/guile.scm | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

Toggle diff (15 lines)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a9e04cb476..138fb4d6bc 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -833,9 +833,7 @@ (define-public guile-git
     (native-inputs
      (list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
     (inputs
-     ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking Guix.  Use
-     ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
-     (list guile-3.0 libgit2-1.3))
+     (list guile-3.0 libgit2))
     (propagated-inputs
      (list guile-bytestructures))
     (synopsis "Guile bindings for libgit2")
-----BEGIN PGP SIGNATURE-----

iQG5BAABCgAjFiEEXo3OJhMk/jL9rLM1Nj97Uq5OMvYFAmKNbcsFgwPCZwAACgkQ
Nj97Uq5OMvb0AQv9HGwqf48upFCiCc0W+Ag9eQ1pceB4Lkl9GxLNJRoc9bfb3Wch
kAKKuBlyDzn5Tp/WwQtKcNoR0X6OEel2lNsM6NLoJdlxMN0QDU674Tnt16r5BZfD
Oam2s9vSdf+C99nrFxwAXd1Jqi5vLLfXNIcA9bArRgF8CnooOX8VWYbPvtTaqxNN
Z0i1XE5qtOtX+Jx3pwmF1Ve/dx5xP1+JZ11b9RqGWv+is9AbexBLl8WNna3KC/qL
shFAwCMiCSLgBfPhzhNolBdvrVeBkWkLGF+6L5WsGLiK3McBpv58UI9jJTTnETG0
EeNtzlBFMzyJUU2K8THdyoFTNclehZ0xI1W+DqzpcLdjz9c2Uy/4NvCtOJGYBXyy
g7YkZtYbsIYvx0LcG1ntcpDuNB7PaqovprTOYGUF9ntbrpCAOvIkebIVQRAcHOQt
lcijp4KWv+ZPt8dVDbPZ87Z7QAuAj64K2rpJlz+2y0HfuYPWTLXpaCz4LUqiWU88
LGX9yqQ6QXMXME9Z
=Or2r
-----END PGP SIGNATURE-----


?