8f4ffb3fae
This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.
Vulnerability discovered by puck <https://github.com/puckipedia>.
Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
Nix fix:
|
||
---|---|---|
.. | ||
boost | ||
libstore | ||
libutil | ||
nix-daemon | ||
.gitignore | ||
AUTHORS | ||
COPYING | ||
local.mk |