!NBBFPbiuttRgTqbrcY:nixos.org

NixOS Security Discussions

356 Members
Discussions around Security | Triaging happens in #security:nixos.org133 Servers

Load older messages


SenderMessageTime
17 Jul 2024
@elvishjerricco:matrix.orgElvishJerricco gabyx: is this the right room for that question? 16:42:17
18 Jul 2024
@sofo:matrix.orgSofie (AWAY) changed their display name from Sofie to Sofie (AWAY).16:37:39
@emilazy:matrix.orgemilywow, you don't see a gtk 2 security fix every day20:19:53
@emilazy:matrix.orgemilycan we get rid of it before or after Python 2? :)20:20:16
@emilazy:matrix.orgemily361 matching files, how hard could it be?20:22:21
19 Jul 2024
@magic_rb:matrix.redalder.orgmagic_rb https://github.com/woodpecker-ci/woodpecker/pull/3934/files
This commit to the woodpecker is sketchy, as in, the reasoning is not given at all. If they unset PATH wouldnt that break NixOS? The dicussion behind this is in a different woodpecker-secutity repo and innaccessible, at least for me
04:59:43
@0x4a6f:matrix.org[0x4A6F]
In reply to @magic_rb:matrix.redalder.org
https://github.com/woodpecker-ci/woodpecker/pull/3934/files
This commit to the woodpecker is sketchy, as in, the reasoning is not given at all. If they unset PATH wouldnt that break NixOS? The dicussion behind this is in a different woodpecker-secutity repo and innaccessible, at least for me
The history of this PR is also sketchy: https://github.com/woodpecker-ci/woodpecker/pull/3934/commits
05:05:01
@magic_rb:matrix.redalder.orgmagic_rbYeah i have a bad feeling about this one05:06:07
@magic_rb:matrix.redalder.orgmagic_rbIt makes no sense as a security fix, the PATH and such are the responsiblity of the system administrator and should not be affected by CI runs. In which case allowing LD_PRELOAD makes sense as i may want to do that and its up to me to do that if i so want05:07:04
@magic_rb:matrix.redalder.orgmagic_rb Unless this is about filtering env from the job side 05:09:38
@magic_rb:matrix.redalder.orgmagic_rbBut that is also weird and just unsafe in general05:09:52
@elvishjerricco:matrix.orgElvishJerricco magic_rb: it just seems like clumsy input sanitization to me. I don't really know anything about that project, but it seems like there's a list of user-supplied credentials that are supposed to be made available with an environment variable based on their names. Rather than just having a sanitized prefix like SECRET_${name}, they're just forbidding names that can affect behavior. 05:29:31
@elvishjerricco:matrix.orgElvishJerriccothat's my read anyway05:29:34
@magic_rb:matrix.redalder.orgmagic_rbOkay makes sense05:32:20
@magic_rb:matrix.redalder.orgmagic_rb The timimg of it extremely weird, im currently in the gym so didnt have the time to look into it, i appreciate that you did @ElvishJerricco thanks :) 05:32:57
@magic_rb:matrix.redalder.orgmagic_rb With all the recent shit that happened i guess im suspicious 05:33:13
@magic_rb:matrix.redalder.orgmagic_rb * The timimg of it is extremely weird, im currently in the gym so didnt have the time to look into it, i appreciate that you did @ElvishJerricco thanks :) 05:33:30
@elvishjerricco:matrix.orgElvishJerriccounderstandable :)05:33:52
@elvishjerricco:matrix.orgElvishJerriccoif my read is right, it's really a not-great solution. They just assume they've discovered all the environment variables that could be problematic05:34:28
@magic_rb:matrix.redalder.orgmagic_rb @ElvishJerricco can i repost your explaination to the PR? Anonymously if you want 06:26:45
@emilazy:matrix.orgemilyyeah this is just the standard "oops, environment injection vulnerability"09:20:22
@emilazy:matrix.orgemilyanyone remember shellshock09:20:26
@emilazy:matrix.orgemily"It was commited 6 hours ago and yet is in a released version of buildbot already" – this plus embargoed discussion are pretty standard for critical security fixes09:21:03
@emilazy:matrix.orgemilynote that most likely the only reason Jia Tan was rushing was because distributions were moving away from linking the library that made their attack work. if you're trying to slip backdoors in, you generally don't want to do it as part of a critical security fix that you rush out releases for, because (as we can see here) it drastically increases the number of eyes on the commit09:22:07
@emilazy:matrix.orgemilysuspicious commits tend to look more like "chore: refactor module handling" or "feat: optimize memory prefetching on x86"09:23:19
@emilazy:matrix.orgemilyalthough it kind of sucks that they haven't disclosed now that there is a release out :)09:24:43
@emilazy:matrix.orgemilybut it would probably be very easy to reconstruct the attack from that commit09:25:05
@emilazy:matrix.orgemilymy bottom line hot take: I would feel a little nervous about the security of this software, not because there is anything fishy about the commit or release process, but just because they've decided on an ad-hoc blocklisting approach for a pervasive attack vector09:26:31
@easel:matrix.orgeasel changed their profile picture.14:17:18
20 Jul 2024
@w4tsn:darmstadt.socialw4tsnSo to get this "secrets copied into nix-store thing" a step forward. From what I understand it would be A) very low level to add checks before build and B) the detection logic (with exclusions etc.) would be really hard to solve. So where does that leave us? I guess some guidelines would make sense to discourage / deprecate allowance of Paths (that copy files into the nix store) as datatype for things that are designed to only be evaluated at runtime. Additionally a organized effort to identify all packages with this problem and notifying the maintainers to restrict such variables to string types. Would that even work and does that make sense? WDYT?09:12:53

There are no newer messages yet.


Back to Room ListRoom Version: 9