commit 5e333514f8af3c640d1048bb99ee0feacbd38ff4

pyrox.dev / nixpkgs

lol

fork atom

guix: fix build user takeover patch (#353533)

authored by

Weijia Wang and committed by

GitHub 1 year ago 5e333514 7d0e50b0

+13 -44

2 changed files

expand all

unified split

pkgs

by-name

guix

guix-build-user-takeover-fix.patch

package.nix

-42

pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch

··· 1 - diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc 2 - index c5383bc..50d1abc 100644 3 - --- a/nix/libstore/build.cc 4 - +++ b/nix/libstore/build.cc 5 - @@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs() 6 - Path actualPath = path; 7 - if (useChroot) { 8 - actualPath = chrootRootDir + path; 9 - - if (pathExists(actualPath)) { 10 - - /* Move output paths from the chroot to the store. */ 11 - - if (buildMode == bmRepair) 12 - - replaceValidPath(path, actualPath); 13 - - else 14 - - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) 15 - - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); 16 - - } 17 - - if (buildMode != bmCheck) actualPath = path; 18 - } else { 19 - Path redirected = redirectedOutputs[path]; 20 - if (buildMode == bmRepair 21 - @@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs() 22 - something like that. */ 23 - canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen); 24 - 25 - + if (useChroot) { 26 - + if (pathExists(actualPath)) { 27 - + /* Now that output paths have been canonicalized (in particular 28 - + there are no setuid files left), move them outside of the 29 - + chroot and to the store. */ 30 - + if (buildMode == bmRepair) 31 - + replaceValidPath(path, actualPath); 32 - + else 33 - + if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) 34 - + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); 35 - + } 36 - + if (buildMode != bmCheck) actualPath = path; 37 - + } 38 - + 39 - + 40 - /* FIXME: this is in-memory. */ 41 - StringSink sink; 42 - dumpPath(actualPath, sink);

+13 -2

pkgs/by-name/gu/guix/package.nix

··· 3 3 stdenv, 4 4 fetchurl, 5 5 fetchpatch, 6 + fetchDebianPatch, 6 7 autoreconfHook, 7 8 disarchive, 8 9 git, ··· 57 58 url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42"; 58 59 hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao="; 59 60 }) 60 - # manual port of build user takeover remediation commit 61 61 # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability 62 - ./guix-build-user-takeover-fix.patch 62 + (fetchDebianPatch { 63 + inherit pname version; 64 + debianRevision = "8"; 65 + patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch"; 66 + hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo="; 67 + }) 68 + (fetchDebianPatch { 69 + inherit pname version; 70 + debianRevision = "8"; 71 + patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch"; 72 + hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM="; 73 + }) 63 74 ]; 64 75 65 76 postPatch = ''