Date: Wed, 09 Oct 2019 11:33:52 -0400 From: "Graham Christensen" <graham@...hamc.com> To: "Michael Orlitzky" <michael@...itzky.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2019-17365: Nix per-user profile directory hijack -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Michael and oss-security, I'm from the NixOS Security Team. We handle security reports for Nix, NixOS, and the Nix ecosystem. > Bug report: Reported privately to the NixOS security team on 2019-08-19. I can confirm we received, validated, and improperly handled this report. I took lead on this issue and began authoring a patch to fix it. We had a partial fix, and I dropped the ball. I have opened up my partial patch to the greater NixOS security community to get help in finishing this off. Unfortunately, the problem is in a challenging spot: the code must be authored very carefully to not fail. More unfortunately, the root of this issue has been known for some time. As soon as we are comfortable with a fix, we will release a new version of Nix. We will also examine how we handle security issues, and publish a post-mortem of how this happened and how our processes will be changed to prevent this from happening again. Thank you, Michael for bringing this issue to the public eye.  https://nixos.org/nixos/security.html  https://github.com/NixOS/nix/pull/3134  https://github.com/NixOS/nix/issues/509 Graham Christensen NixOS Security Team -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEgej9zkMfmhiSsTqdrKHB0SDIPVwFAl2d/MUACgkQrKHB0SDI PVxPuA/5AfX/pu3fjXK7OQbxI6euYkbebjKy8wCk9cXc24CY1V/aqPchN6a79hVw gE9UkIxryVACKZdZVQvsvNi9D54cxJM6yRwf0nReZETqzlaT2B7sjbzGhg4QBhuj klqViy+cIp3vP7qH+baZSRGEoq5T/sV6Jk+Y9Dzr0CpgNav+tvYdtk47KkrocKxy Pg3pclWUiAqY45bQRn/zhbv3SneKjlKEe3cQYp7hUuH24peZrAm5LQrD8RImWDcq yeQqHr0OlH6UHxVXKjkMYW07ZHN5y7u11ACicM9Nb4hb/+pKeQ9k2hqJKYe6eIZJ yFiyLFLLuMR39g72Kzx1mpXlr1cx5LaY9woWJkUwinemWe5sO0Ql5kiFdc1hdF6e 7Uy+0yH+8/WRhT3x13Ec4nDaCLz0bnYahD2OXDJRmtzXGG4/LYRHsY7IFYJrrEXn AUTG7NaX8KAatDY3XTKMeAY00yUvyDx0hol0uL+APQwKTzBGw5eu7vlpN4Z/B91/ UNJNF2sDHDndkduPlYrvXiSkRvR4a3kBoLOZBjftIlZbk9kjIw3Cc0YTemlvckat rFNgaLe0DXDPQ4Bt/8uUizfyo1uYUp7HbBLs8CTsU1on8GxCdBlFcZ4dae/O0VTc rcPTto9TChK8U/cFkeFIrix6hbG5u+2EbhY6BkzDmTtxaifd0uM= =FG5p -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.