New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "xz: 5.4.6 -> 5.6.1" #300028
Revert "xz: 5.4.6 -> 5.6.1" #300028
Conversation
We should probably leave a comment to not update to 5.6.0/1 by rrynatm or someone not being aware of this. |
This reverts commit c53bbe3. The upstream tarball has been tampered with and includes a backport for which we cannot completely rule out, whether we are affected. https://www.openwall.com/lists/oss-security/2024/03/29/4
This reverts commit 5c7c19c. The upstream tarball has been tampered with and includes a backport for which we cannot completely rule out, whether we are affected. https://www.openwall.com/lists/oss-security/2024/03/29/4
Is there any way to pull 5.6.0/5.6.1 from the build cache? |
eb3453a
to
f721231
Compare
Yes, but highly impractical, so unlikely to happen. |
responding to a now deleted comment which said the tarballs aren't backdoored: It's using the tarballs associated with the github release and not the tarball created by github for a tag, https://www.openwall.com/lists/oss-security/2024/03/29/4 indicates that those are backdoored. |
Would it be worth, at least temporarily, adding it to the skiplist to avoid the risk of someone accepting a bot-proposed update? https://github.com/ryantm/nixpkgs-update/blob/main/src/Skiplist.hs |
A committer of theirs added the exploit to the git repo disguised as test artifacts. Why should we trust anything else they have done? Reverting to 5.4.6 and waiting for further analysis is the way we go. |
maybe we should mention CVE-2024-3094 |
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
I feel like security issues like this should be put into unstable quicker is there not a process for this? I am running a infected version seemingly and just updated my system after discovering this, seems my only option is to switch to master branch
|
@nonetrix Until someone who is more knowledgeable about the Nixpkgs process replies I think it would be smart to overlay it with the correct version |
You can follow the discussion on the NixOS Discourse.
It appears to be not in an exploitable fashion for NixOS, due to built-time checks that specifically targeted deb/rpm systems. We'll have to wait for the first analysis of all the commits that were made since the malicious actor joined the xz project. |
Given the currently available information, the version of xz 5.6.1 that's available in nixpkgs does not contain the exploit code. And even if it would, it wouldn't trigger on the host systems due to the condition that However, I understand (and feel the same) that there should be mechanisms in place for when a critical issue arrises that does affect NixOS. Perhaps it is an option to update nixpkgs even though binaries aren't available yet? That way, users would get the update ASAP, even if this means local rebuilds for the time being. Another thing I've noticed: Did the security team not get a notice about this issue beforehand? Distros like Arch got a security notice at least one day before the vulnerability was disclosed. Or was this a deliberate decision given that binaries from nixpkgs don't seem to be affected? |
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive. Reverting the change seems to be acceptable.
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive. Reverting the change seems to be acceptable.
I thought it was in nixpkgs? #300028 (comment). Also, as of right now we only know that it will trip when I do agree with the sentiment of having protocols in place for the future. As for the heads up, from what I can tell it was one person who discovered it and released it publically so the malicious actor couldn't do more to hide it, so I think it may have just been that they weren't aware of NixOS. Of course, I'd like a response from someone on the public team themselves. |
The source tarball seems to be affected, but the resulting binary doesn't seem to contain the respective exploit code. At least on my machine, I can't find the signature from the openwall report in my liblzma binaries. Either way, information seems to be too scattered right now to say anything for certain. But given that, with currently available information, we don't seem to be at immediate risk, perhaps it'd be better to let the dust settle and take according measures once we have a clear picture. |
The xz repository is now disabled on GitHub. This PR now failed to fetch src for me (hash mismatch). I think we need to seek some alternatives and push it to |
Debian decided to roll back to 5.3.1, as 5.4.6 still includes a lot of potentially compromised commits: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Perhaps they could be used as a source repository. That rollback is not going to be easy, however. I assume dropping the dep on xz entirely is functionally impossible? |
there is also mirror hosted by original xz maintainer https://git.tukaani.org/?p=xz.git;a=summary |
+1 on this. If I understand this correctly, the binary cache was always meant to be a convenience feature to save a bunch of time rebuilding on an otherwise source-based system, rather than an integral part of the functioning of Nix. From that perspective, I think one could argue that the additional time spent on a rebuild is very much worth avoiding a security vulnerability for anyone who pulls in the affected package. On a related note, is anyone aware of the existence of any centralised location to check if any given Nixpkgs commit contains vulnerabilities that were fixed in a later version (for those who do not regularly keep track of Github Issues)? |
Nothing prevents you from following As for mechanisms that avoid rebuilds, there is NixOS option |
Source switched to a working mirror in 6aa50d0. GitHub overreacted and made things worse IMHO, but "fortunately" switching URLs is rebuild-free. |
FYI, should something be discovered in 5.4.3 (also signed by the same person), we need to change pkgs/os-specific/linux/minimal-bootstrap/xz too, because the bootstrap derivation doesn't depend on the derivation in this PR. |
Those may be decent measures for someone who regularly checks on their Nix/NixOS installation (manually picking Just throwing ideas out there, but possible compromises could include:
|
Debian contributors are discussing that possibility, it's not definitive yet as far as I can tell. Disclaimer: I'm a Debian user trying to make sense of the situation, not (yet) a Debian contributor, and not a Nix user. |
I don't think you understand the significance of rebuilding the bootstrap tools. Even with a build farm and tuned remote builders this can easily take an entire day or more which is extremely impractically for anyone to use. It arguable way easier to ditch the current staging-next branch and replace it in such situations. Using system.replaceRuntimeDependencies in those situations is easier. Or if you just want to replace xz in openssh, you can work with overlays and get down to probably just a few rebuilds.
Reducing the size of stdenv or the reverse deps of key packages is helping that. We already did that for openssh in the past and now updates to it can go straight to master instead of staging first.
That already exists and is called nixos-unstable-small.
That likely does not help as much as you want it to. xz is a dependency of bootstrapping things and many things in there are not as parallelized. Also adding those builders takes time and hydra is not great at greatly utilizing them and distributing builds. |
I've had Actions Runners time out after only making it to
Again, that is a fine solution for those of us who are already here. Having
That helps with the build times, but the fundamental problem remains that we are delaying vital security updates by rebuilding the universe for the sake of a convenience feature, and that universe is only going to get bigger.
Aren't merges to that branch also blocked by
Fair enough. Apologies if I'm coming off as a bit too harsh, just legitimately perplexed that there is no fast-ring with just the critical fixes. It seems to me (and I could be wrong) that as of now the only options are a) get patches for exploitable code more than a week late, or b) regression beta-tester. |
Switched to nixpkgs staging-next to address NixOS/nixpkgs/pull/300028 Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/179f6acaf7c068c7870542cdae72afec9427a5b0' (2024-03-27) → 'github:nix-community/home-manager/c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2' (2024-03-28) • Updated input 'nix-gaming': 'github:fufexan/nix-gaming/63ded1ffc0846c259f9cd0f62aa2ea9f7f804f56' (2024-03-27) → 'github:fufexan/nix-gaming/350a57349ed40f0166e2afaf1d5c1ee955c53111' (2024-03-29) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/fd84c1ff8937685294342c57a656a7066800d01c' (2024-03-26) → 'github:nixos/nixpkgs/48d06167c6d80ba706833f8f76f8a8fe7c33786c' (2024-03-30) • Updated input 'nur': 'github:nix-community/NUR/e9fb06187654059328b8a266ea9a6d2f36cf1cf6' (2024-03-28) → 'github:nix-community/NUR/dd0c7591edf10dbe65223bb7353927b2a1f1b41e' (2024-03-30) • Updated input 'plasma-manager': 'github:pjones/plasma-manager/298f345f3ca9528ca88dbbbdcadfc270b7582ded' (2024-03-27) → 'github:pjones/plasma-manager/25b222a95a764bb76b7082746e8a1115c46ae2d8' (2024-03-30)
Might be better to raise a separate issue for an extended discussion of rapidly hotfixing when many rebuilds are involved. As far as I know this revert was out of precaution but there's not a rush to jump to it because the nix build of liblzma didn't have the backdoor injected. There's more discussion in https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405?u=lun and there was some on matrix earlier. |
I definitely agree that more discussion is needed. NixOS lucked out this time. In the future we might not be so lucky, and it might be a much larger Exploit. Security patches need to come out instantly. |
This conversation is going way off topic. Future policy discussion should not be done on this PR. |
Description of changes
The upstream tarball has been tampered with and includes a backdoor for
which we cannot completely rule out, whether we are affected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.