| 5 Jul 2024 |
 syd installs gentoo (they/them) | Please move to #security-discuss:nixos.org | 12:07:07 |
 raitobezarius | sorry, right | 12:07:22 |
|  ElvishJerricco joined the room. | 12:42:26 |
| ElvishJerricco | In reply to @septem9er:fairydust.space
Hey,
it seems like there is an regression of CVE-2023-36476 in the Nixos-calamares-extension, aka. the graphical NixOS-Installer.
The commit fixing this was reverted for some reason. It seems like they wanted to fix it another way in this commit. I haven't really looked into what they try to do in this commit, however the commit message was the following:
Do not use crypto_keyfile.bin in UEFI, but leave BIOS the same.
Which doesn't really make sense to me, because the original CVE applied to BIOS systems mostly. So leaving BIOS systems the same wouldn't fix the issue.
Someone reported this here, I could reproduce this with the latest Nixos-GNOME ISO, with the following steps:
- Start the ISO on a BIOS (legacy) system / in BIOS mode
- Select manual partitioning in the installer
- Create an unencrypted legacy-boot partition with mountpoint /boot
- Create an encrypted root partition with mountpoint /
After the installation is done, there is an luks-keyfile in an zstd/cpio archive in /boot/kernels/***-secrets, which does open the root partition.
yea, the reason for that revert commit was that the original fix was wrong, so I just reverted and re-did it | 12:45:20 |
| raitobezarius | discussions in #security-discuss:nixos.org ElvishJerricco | 12:45:52 |
|  terru joined the room. | 13:41:22 |
|  @manuelbaerenz:matrix.org left the room. | 16:10:18 |
|  nope (backup) joined the room. | 16:40:16 |
|  aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) changed their display name from aleksana to aleksana (force me to bed after 18:00 UTC). | 18:59:08 |
| 7 Jul 2024 |
|  @1h0:matrix.org left the room. | 08:53:49 |
 hexa | https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/ | 18:51:25 |
| 8 Jul 2024 |
|  @zzantares:matrix.org changed their display name from zzantares to demo-reset. | 06:00:22 |
| @zzantares:matrix.org removed their profile picture. | 06:00:31 |
|  @willbush:matrix.org joined the room. | 09:48:32 |
| 9 Jul 2024 |
|  @abbe:badti.me left the room. | 15:17:12 |
| hexa | https://www.blastradius.fail/ | 16:29:48 |
| hexa |
Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS implementations using non-EAP authentication methods over UDP.
| 16:29:59 |
|  @swendel:curious.bio joined the room. | 19:45:00 |
|  @princemachiavelli:matrix.org left the room. | 20:35:31 |
|  Tako joined the room. | 21:24:12 |
| 10 Jul 2024 |
|  oak 🏳️🌈♥️ changed their profile picture. | 20:20:53 |
| @zzantares:matrix.org changed their display name from demo-reset to Hamlet'sPiedPlumber. | 23:02:35 |
| 11 Jul 2024 |
 felschr | https://github.com/NixOS/nixpkgs/pull/326148 | 14:15:03 |
|  @echobc:matrix.org joined the room. | 15:21:16 |
|  NixOS Moderation Bot banned @echobc:matrix.org (<no reason supplied>). | 15:21:16 |
|  cafkafk changed their profile picture. | 17:11:10 |
| 14 Jul 2024 |
|  @tshaynik:matrix.org left the room. | 19:12:27 |
| 15 Jul 2024 |
| oak 🏳️🌈♥️ changed their profile picture. | 03:16:06 |
|  Alois joined the room. | 17:53:55 |
| Alois changed their display name from xiao nguyen to Alois. | 17:58:17 |
