Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <fb9538aa-b43d-4a35-bf5b-7d1f72caddde@www.fastmail.com>
Date: Wed, 09 Oct 2019 11:33:52 -0400
From: "Graham Christensen" <graham@...hamc.com>
To: "Michael Orlitzky" <michael@...itzky.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-17365: Nix per-user profile directory hijack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Michael and oss-security,

I'm from the NixOS Security Team[0]. We handle security reports for
Nix, NixOS, and the Nix ecosystem.

> Bug report: Reported privately to the NixOS security team on 2019-08-19.

I can confirm we received, validated, and improperly handled this
report.

I took lead on this issue and began authoring a patch to fix it. We
had a partial fix, and I dropped the ball. I have opened up my partial
patch to the greater NixOS security community[1] to get help in
finishing this off.

Unfortunately, the problem is in a challenging spot: the code must be
authored very carefully to not fail. More unfortunately, the root of
this issue has been known for some time[2].

As soon as we are comfortable with a fix, we will release a new
version of Nix.

We will also examine how we handle security issues, and publish a
post-mortem of how this happened and how our processes will be changed
to prevent this from happening again.

Thank you, Michael for bringing this issue to the public eye.

[0] https://nixos.org/nixos/security.html
[1] https://github.com/NixOS/nix/pull/3134
[2] https://github.com/NixOS/nix/issues/509


Graham Christensen
NixOS Security Team
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgej9zkMfmhiSsTqdrKHB0SDIPVwFAl2d/MUACgkQrKHB0SDI
PVxPuA/5AfX/pu3fjXK7OQbxI6euYkbebjKy8wCk9cXc24CY1V/aqPchN6a79hVw
gE9UkIxryVACKZdZVQvsvNi9D54cxJM6yRwf0nReZETqzlaT2B7sjbzGhg4QBhuj
klqViy+cIp3vP7qH+baZSRGEoq5T/sV6Jk+Y9Dzr0CpgNav+tvYdtk47KkrocKxy
Pg3pclWUiAqY45bQRn/zhbv3SneKjlKEe3cQYp7hUuH24peZrAm5LQrD8RImWDcq
yeQqHr0OlH6UHxVXKjkMYW07ZHN5y7u11ACicM9Nb4hb/+pKeQ9k2hqJKYe6eIZJ
yFiyLFLLuMR39g72Kzx1mpXlr1cx5LaY9woWJkUwinemWe5sO0Ql5kiFdc1hdF6e
7Uy+0yH+8/WRhT3x13Ec4nDaCLz0bnYahD2OXDJRmtzXGG4/LYRHsY7IFYJrrEXn
AUTG7NaX8KAatDY3XTKMeAY00yUvyDx0hol0uL+APQwKTzBGw5eu7vlpN4Z/B91/
UNJNF2sDHDndkduPlYrvXiSkRvR4a3kBoLOZBjftIlZbk9kjIw3Cc0YTemlvckat
rFNgaLe0DXDPQ4Bt/8uUizfyo1uYUp7HbBLs8CTsU1on8GxCdBlFcZ4dae/O0VTc
rcPTto9TChK8U/cFkeFIrix6hbG5u+2EbhY6BkzDmTtxaifd0uM=
=FG5p
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.