| 2 Jul 2024 |
|  @ity:itycodes.org changed their display name from Tranquil Ity to Tranquil Ity (eepy/cutie). | 20:49:29 |
| @ity:itycodes.org changed their display name from Tranquil Ity (eepy/cutie) to Tranquil Ity. | 20:50:51 |
 ris_ | sigh https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ | 21:26:14 |
 tgerbet | https://github.com/NixOS/nixpkgs/commit/2dcfa4787b6fb9fb9e6cb087db382f9ce8556f99 | 21:32:15 |
 emily | (don't expose unsandboxed ghostscript to untrusted input folks) | 21:34:09 |
| ris_ | In reply to @tgerbet:matrix.org
https://github.com/NixOS/nixpkgs/commit/2dcfa4787b6fb9fb9e6cb087db382f9ce8556f99 oh awesome we don't even have to backport | 21:41:00 |
 hexa | https://httpd.apache.org/security/vulnerabilities_24.html | 22:08:47 |
| 3 Jul 2024 |
|  @janik0:matrix.org left the room. | 07:23:26 |
| hexa | https://mastodon.social/@MastodonEngineering/112717731749830186 mastodon, 2024-07-04 16:00 UTC | 13:16:04 |
| tgerbet | * 15:00 UTC | 13:21:50 |
| hexa | https://github.com/NixOS/nixpkgs/pull/324349
https://meta.discourse.org/t/3-2-3-security-and-bug-fix-release/313392 | 15:22:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/324371 | 16:04:16 |
|  lassulus joined the room. | 19:11:43 |
|  @shaderoit99:matrix.org left the room. | 21:28:15 |
| 4 Jul 2024 |
|  @eyjhb:eyjhb.dk left the room. | 10:58:00 |
 osnyx (he/him) | https://github.com/mastodon/mastodon/releases/tag/v4.2.10 | 15:05:18 |
| hexa | maintainer is working on it | 15:09:02 |
| hexa | (kerstin) | 15:09:03 |
| hexa | https://github.com/NixOS/nixpkgs/pull/324586 merged into master, unstable-small eval trigggered | 15:39:17 |
| hexa | https://github.com/NixOS/nixpkgs/pull/324587 still running tests | 15:39:23 |
|  Philip Taron (UTC-8) left the room. | 15:45:55 |
| Philip Taron (UTC-8) joined the room. | 15:55:52 |
| hexa | * https://github.com/NixOS/nixpkgs/pull/324587 merged into release-24.05, nixos-24.05-small eval triggered | 15:59:31 |
|  Kerstin (she/her) joined the room. | 16:01:33 |
|  Benedikt changed their display name from Soispha to Benedikt. | 19:10:30 |
| 5 Jul 2024 |
 Septem9er | Hey,
it seems like there is an regression of CVE-2023-36476 in the Nixos-calamares-extension, aka. the graphical NixOS-Installer.
The commit fixing this was reverted for some reason. It seems like they wanted to fix it another way in this commit. I haven't really looked into what they try to do in this commit, however the commit message was the following:
Do not use crypto_keyfile.bin in UEFI, but leave BIOS the same.
Which doesn't really make sense to me, because the original CVE applied to BIOS systems mostly. So leaving BIOS systems the same wouldn't fix the issue.
Someone reported this here, I could reproduce this with the latest Nixos-GNOME ISO, with the following steps:
- Start the ISO on a BIOS (legacy) system / in BIOS mode
- Select manual partitioning in the installer
- Create an unencrypted legacy-boot partition with mountpoint /boot
- Create an encrypted root partition with mountpoint /
After the installation is done, there is an luks-keyfile in an zstd/cpio archive in /boot/kernels/***-secrets, which does open the root partition.
| 11:36:34 |
| emily | thank you for the report | 11:48:34 |
| emily | https://github.com/NixOS/calamares-nixos-extensions/pull/25 says "#21 broke encrypted swap by mishandling the removal of crypto_keyfile.bin. This reverts the original fix. Instead, we leave BIOS the same; that was secure as it was before", I guess this was just a misunderstanding of the vuln? :/ | 11:49:21 |
| emily | maybe it's better to revert and let encrypted swap be broken while we figure out what the proper fix is? | 11:50:59 |
| emily | (I guess this is going to require another GHSA? it's the month of security regressions…) | 11:51:25 |
