@puckipedia@puckipedia.comokay so. nix 2.24+ vuln: nar unpacking is fucked, and local unprivileged users, or any binary cache you have configured, can just Get Root on your system
if you create a nar file with a directory containing both a symlink and a directory with the same name, the symlink will be followed and filled with the contents you put in that directory due to a refactoring mistake
and, as the nix daemon usually runs as root (with the nix store mounted read-write), it's possible to write files into e.g. /run/current-system/etc/systemd/system. and as such, and get persistent root access from unpacking a malicious NAR.
now do you make Nix read a NAR? well... there's two primary ways
any untrusted user that can talk to the nix daemon can write NARs that are either content-addressed, or signed by a trusted key, into the Nix store;
...and any binary cache can do this as well, as the daemon will fetch nar files from the binary cache.
now this vuln would be evil but local privesc only if this was all, except for a very funny second issue:
the signature on NAR files is validated only *after* unpacking the NAR
so any malicious binary cache can reuse the signature of, say, a store path on cache.nixos, and (this is very likely, of course) if the nix daemon trusts the signature, it will end up unpacking any nar of the cache's choice without checking that the signature (or even hash!) matches
in certain cases (e.g. there's a symlink pointing to root in a trusted nar) this can even be done entirely silently, which is .. very bad.
at this point the disclosure timeline has passed; and a point release was even made after the vulnerability was well known by the entire team (GHSA-h4vv-h3jq-v493 was opened a day before the point release); and the severity of the vulnerability is high enough that i want people to be aware of this issue
(it's possible to mitigate this issue by downgrading to Nix 2.23, or setting allowed-users to only trusted users; and making sure any binary caches you have set are https and very trusted.)
@puckipedia What the heck?? We were about to release the fix after getting your feedback. Did you not receive a message from Tom?
@roberth @puckipedia Can we set up some kind of real-time comms between the lix and cppnix core teams?
If schedules could be communicated (or if you could keep our devs on the loop) I think we could help to prevent missing each other.
It's very hard to get any comms to y'all and get a solid response, and that seems like something we should fix.
@ktemkin @puckipedia Puck and Tom were in touch, we're all on Matrix, we have a responsible disclosure document thingy on the GitHub repo. How could that not be enough?
I'm all for a hotline, sure, but why would Puck do this when she's already in touch?
Anyway, the damage has been done and I can't trust Puck again. This is really really bad.
@roberth @puckipedia Members of our team have been trying to get comms going with you for -months- over a past disclosure that has died on the vine, and which is still unmitigated on your side.
If we can't get you to e.g. cherry-pick a trivial remediation in a matter of months, we have a responsibility to make sure that issues are at least brought to the public's eye.
First & foremost, we're responsible for upholding the trust of our users. If you've the same goal, please start communicating.
@ktemkin @puckipedia What is your definition of trying? Doing the exact same thing over and over without result or something?
The Nix community is on many platforms through which it can be reached and one of them is enough to establish contact with any of the team members.
As far as I know, team members have reached out in multiple ways - including in person at events - and been summarily ignored.
There's obviously a communication issue here, and I'm literally reaching out to you to try to get *something* that works, because we all want Nix-based technologies -- and their users -- to thrive.
If this is due to a lack of resources on your end, please let me know how we can help. As far as I'm concerned, we're all in this ecosystem together.