[bug#69728,security] daemon: Protect against FD escape when building fixed-output derivations (CVE-2024-27297).

Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 6ACDB27BBEA; Tue, 12 Mar 2024 13:32:50 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 02EDA27BBE2
	for <patchwork@mira.cbaines.net>; Tue, 12 Mar 2024 13:32:46 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1rk2Ep-0007mn-Ab; Tue, 12 Mar 2024 09:32:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rk2E4-0007dR-0k
 for guix-patches@gnu.org; Tue, 12 Mar 2024 09:31:48 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rk2E3-0001r4-Oe
 for guix-patches@gnu.org; Tue, 12 Mar 2024 09:31:27 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rk2Ec-0005xg-5m
 for guix-patches@gnu.org; Tue, 12 Mar 2024 09:32:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#69728] [PATCH security] daemon: Protect against FD escape when
 building fixed-output derivations (CVE-2024-27297).
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 12 Mar 2024 13:32:02 +0000
Resent-Message-ID: <handler.69728.B69728.171025031122900@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 69728
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch security
To: 69728@debbugs.gnu.org
Cc: Picnoir <picnoir@alternativebit.fr>,
 =?utf-8?q?Th=C3=A9ophane?= Hufschmitt <theophane.hufschmitt@tweag.io>,
 guix-security@gnu.org
Received: via spool by 69728-submit@debbugs.gnu.org id=B69728.171025031122900
 (code B ref 69728); Tue, 12 Mar 2024 13:32:02 +0000
Received: (at 69728) by debbugs.gnu.org; 12 Mar 2024 13:31:51 +0000
Received: from localhost ([127.0.0.1]:42083 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1rk2ER-0005xH-0V
 for submit@debbugs.gnu.org; Tue, 12 Mar 2024 09:31:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:37266)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1rk2EO-0005x4-5l
 for 69728@debbugs.gnu.org; Tue, 12 Mar 2024 09:31:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1rk2Di-0001n0-Bp; Tue, 12 Mar 2024 09:31:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=ApG/gHDiTE1k3aAxBiJqo9n/srVBwLyCkr8lEWPgc+U=; b=JFZl/t5Vs1DXkerv0xqF
 KHOBGrygJPO1XFkcYKiLo52Pk7fFXB8szXqxdoNZfwWNTbW1rFKKGxb0LVlhakNZeVhvg4R8UsI9N
 X0QG0oWQZiPl8u5bq0xdyJGybOqSX4EUVnE0l2xH5NCNrO77leB6I/y/eNU9riOyStag+Q5VPTpgf
 mS6HSUsaNKKihcSluQN5TJ6Dt+dCYI4eWD+7tq/995f+rbKnqnhIEoU9TYMFMGUrucHG2h4FYqT+c
 vaR64BWbvo6VAXMsQ4uMhqBPyxF5j0AkxrGX/oqvEQKlodDxyzOhFxJHT7QpMzpyac7QZ+M7Tc1KZ
 R22Hb6onELQ1wg==;
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
In-Reply-To: <87frwwo1mo.fsf@gnu.org> ("Ludovic =?utf-8?q?Court=C3=A8s?= "'s
 message of "Mon, 11 Mar 2024 23:16:31 +0100")
References: 
 <f541e64f128d82e6d9eca3b1d40e833dc06fd968.1710154382.git.ludo@gnu.org>
 <87frwwo1mo.fsf@gnu.org>
Date: Tue, 12 Mar 2024 14:31:00 +0100
Message-ID: <87ttlblgq3.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches