Please add a test for CVE-2024-27297

  • Open
  • quality assurance status badge
Details
One participant
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Vagrant Cascadian
Severity
normal
V
V
Vagrant Cascadian wrote on 13 Mar 16:29 +0100
(address . bug-guix@gnu.org)
874jda6tgf.fsf@wireframe
It would be really nice, especially for downstream distributors, if
there was a test for CVE-2024-27297.

There is working code to test this in the excellent blog post on the
subject, which is a likely good starting point!


Super extra bonus points if the test is backwards compatible with guix
1.4 and 1.2 :)

live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZfHGYQAKCRDcUY/If5cW
qpknAP47fWB5TlrjYjqi2m2rehcO6V/dk0GQ3mXW5ADXCktjDQD8DYHL/GKaMx4O
kufrHGgPwFeDSxcMlPi6pjKjsGPZfgA=
=+c5S
-----END PGP SIGNATURE-----

V
V
Vagrant Cascadian wrote on 14 Mar 00:10 +0100
(address . 69777@debbugs.gnu.org)
87wmq5684q.fsf@wireframe
On 2024-03-13, Vagrant Cascadian wrote:
Toggle quote (11 lines)
> It would be really nice, especially for downstream distributors, if
> there was a test for CVE-2024-27297.
>
> There is working code to test this in the excellent blog post on the
> subject, which is a likely good starting point!
>
> https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/
>
> Super extra bonus points if the test is backwards compatible with guix
> 1.4 and 1.2 :)

FWIW, the reproducer from the blog is not working for me with guix 1.2:

guix build -f guix-cve-2024-27297 -M4
/home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host
/home/vagrant/guix-cve-2024-27297:20:7: warning: importing module (guix config) from the host
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
The following derivations will be built:
/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv
/gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv
/gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv
/gnu/store/m1ln7m49qrd5jbg0rhjwgb3p5v4iqv1p-derivation-that-grabs-fd-65f22e2a-11731.drv
/gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv
building /gnu/store/n7zss6k3999bm566n6xwqgc5672mw5yr-receiver.drv...
building /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv...
Backtrace:
4 (primitive-load "/gnu/store/2vg1l5pb6jgbrg3iivzj01gl0n8?")
In ice-9/eval.scm:
619:8 3 (_ #f)
191:27 2 (_ #f)
223:20 1 (proc #<directory (guile-user) 7ffff5bb7f00>)
In unknown file:
0 (%resolve-variable (7 . load-profile) #<directory (guil?>)

ERROR: In procedure %resolve-variable:
Unbound variable: load-profile
Backtrace:
4 (primitive-load "/gnu/store/c4a9kl1p4xs8fmw2w5smaim04cy?")
In ice-9/eval.scm:
619:8 3 (_ #f)
191:27 2 (_ #f)
223:20 1 (proc #<directory (guile-user) 7ffff5bb7f00>)
In unknown file:
0 (%resolve-variable (7 . load-profile) #<directory (guil?>)


ERROR: In procedure %resolve-variable:
Unbound variable: load-profile
builder for `/gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv' failed with exit code 1
build of /gnu/store/ndny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv failed
View build log at '/var/log/guix/drvs/nd/ny5r3l0s2vq1nal4raskl9pb0badc3-sender.drv.bz2'.
cannot build derivation `/gnu/store/90ysjngcdr0z5mcxprryxpp2413mly8z-derivation-that-exfiltrates-fd-65f22e2a-11731.drv': 1 dependenc
ies couldn't be built
cannot build derivation `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv': 1 dependencies couldn't be bui
lt
guix build: error: build of `/gnu/store/dirlf6m5kb6by220qivwj10r677ylb39-checking-for-vulnerability.drv' failed


I guess I can try "guix pull" to something current to run it...

live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZfIyVQAKCRDcUY/If5cW
qlQaAP4hjIHnpcAX4DB5rwP/LOX8ISe2eN8dUI7s7eWV0JqkiwD9GEM2br1A2E0s
sH2MwuNyrhRkYpPJEjUeDa1pDJ+4GA4=
=RuLg
-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 69777@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 69777
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch