Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kanidm: don't log provisioned passwords via instrumentation #392031

Merged
merged 1 commit into from
Mar 23, 2025
Merged

kanidm: don't log provisioned passwords via instrumentation #392031

merged 1 commit into from
Mar 23, 2025

Conversation

oddlama
Copy link
Contributor

@oddlama oddlama commented Mar 22, 2025

The current provisioning patchset for kanidm logs the provisioned password through the function instrumentation
into the system log. This updates the patches for all versions to prevent this from happening.
This also make sure to test this behavior in the related nixos test.

Fixes: CVE-2025-30205
Thanks to @qenya for reporting this

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@oddlama
kanidm: don't log provisioned passwords via instrumentation
df0193b 
This also make sure to test this in the related nixos test.

Fixes: CVE-2025-30205
Reported-By: Katherina Walshe-Grey <qenya@qenya.tel>
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Mar 22, 2025
@adamcstephens adamcstephens added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 23, 2025
@adamcstephens adamcstephens merged commit 7af9798 into NixOS:master Mar 23, 2025
28 of 29 checks passed
@adamcstephens adamcstephens added the backport release-24.11 Backport PR automatically label Mar 23, 2025
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Mar 23, 2025
Merged
1 task
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Mar 23, 2025

Successfully created backport PR for release-24.11:

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/security-advisory-kanidm-provisioned-admin-credentials-leaked-into-system-log-cve-2025-30205-to/62128/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamcstephens adamcstephens

@mweinelt mweinelt

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 backport release-24.11 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@oddlama @nixos-discourse @adamcstephens