installer/tools/get-version-suffix: set --git-dir

lol

The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.

https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).

So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.

Profpatsch 3 years ago 0e444785 ec5b885d

+4 -3

1 changed file

expand all

nixos

modules

installer

tools

get-version-suffix

+4 -3

nixos/modules/installer/tools/get-version-suffix

··· 1 1 getVersion() { 2 2 local dir="$1" 3 3 rev= 4 - if [ -e "$dir/.git" ]; then 4 + gitDir="$dir/.git" 5 + if [ -e "$gitDir" ]; then 5 6 if [ -z "$(type -P git)" ]; then 6 7 echo "warning: Git not found; cannot figure out revision of $dir" >&2 7 8 return 8 9 fi 9 10 cd "$dir" 10 - rev=$(git rev-parse --short HEAD) 11 - if git describe --always --dirty | grep -q dirty; then 11 + rev=$(git --git-dir="$gitDir" rev-parse --short HEAD) 12 + if git --git-dir="$gitDir" describe --always --dirty | grep -q dirty; then 12 13 rev+=M 13 14 fi 14 15 fi