#nixos-security on 2019-02-11

01:53 MichaelRaskin has quit [Read error: Connection reset by peer]

04:27 pie___ has joined #nixos-security

04:30 pie__ has quit [Ping timeout: 245 seconds]

07:35 ckauhaus has joined #nixos-security

07:41 periklis has joined #nixos-security

08:43 __Sander__ has joined #nixos-security

09:01 ekleog has quit [Quit: WeeChat 2.2]

09:31 ekleog has joined #nixos-security

13:00 pie_ has joined #nixos-security

13:01 <pie_> I had an idea, I'm not sure it's good, and I'm not sure how to implement it... : I want to add colored borders to my ssh terminals similar to how qubes adds borders around it's VMs

13:04 periklis has quit [Ping timeout: 272 seconds]

13:52 periklis has joined #nixos-security

14:14 periklis has quit [Remote host closed the connection]

14:32 pietranera has joined #nixos-security

14:32 <pietranera> https://seclists.org/oss-sec/2019/q1/119 - CVE-2019-5736: runc container breakout (all versions)

14:32 <gchristensen> neat.

14:33 <gchristensen> I suspect we're not vulnerable

14:33 <Foxboron> gchristensen: I'm curious. How?

14:33 <gchristensen> "overwrite the host runc binary"

14:33 <gchristensen> nobody can overwrite nix store paths

14:34 <gchristensen> [root@Morbo:/home/grahamc]# echo "hi" > /nix/store/ij6wirzff9id7jr071p04w4nk6hksc3y-bash-interactive-4.4-p23/bin/bash

14:34 <Foxboron> I could maybe forward the POC if you want to be sure

14:34 <gchristensen> bash: /nix/store/ij6wirzff9id7jr071p04w4nk6hksc3y-bash-interactive-4.4-p23/bin/bash: Read-only file system

14:34 <gchristensen> sure

14:34 <gchristensen> I'll try it out :)

14:35 <Foxboron> gchristensen: gpg keyid?

14:36 <gchristensen> available here: https://nixos.org/nixos/security.html http://twitter.com/grhmc and over WKD at graham@grahamc.com

14:36 <Foxboron> thanks

14:37 * gchristensen excitedly awaits

14:49 <gchristensen> Foxboron: do you mind discussing some of this in a PM? obviously eliding specifics about what you sent me

14:51 <Foxboron> Um. Can try.

15:03 <pie_> Idk but https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d looks pretty descriptive?

15:03 <pie_> "Several vendors have asked for exploit code to ensure that the patches actually solve the issue. Due to the severity of the issue (especially for public cloud vendors), we decided to provide the attached exploit code."

15:04 <pie_> It doesnt *look* like its actually attached to the email, not sure how that works

15:04 <pietranera> yeah, I noticed that too.

15:04 <gchristensen> they likely sent the email elsewhere without the attached exploit

15:05 <pie_> thats my guess

15:05 <pietranera> > As per OpenWall rules, this exploit code will be published *publicly* 7 days after the CRD (which is 2019-02-18).

15:05 <{^_^}> error: syntax error, unexpected ',', expecting ')', at (string):218:22

15:06 <pietranera> sorry bot

15:08 andi- has quit [Ping timeout: 250 seconds]

15:16 andi- has joined #nixos-security

15:21 <Foxboron> pie_: No. It's not attached. It's the unedited embargo email. So the paragraph is there

15:21 <gchristensen> pretty sure NixOS is not vulnerable

15:21 <gchristensen> I can't conclusively say it is _not_, but I'm pretty sure it is not

15:28 <pietranera> The disclosure talks about "correct use of user namespaces", so I guess one could try to mitigate anyway?

15:28 <gchristensen> https://twitter.com/justincormack/status/1094948273847181313

16:43 __Sander__ has quit [Quit: Konversation terminated!]

23:39 qyliss_ has joined #nixos-security

23:41 qyliss has quit [Disconnected by services]

23:41 qyliss_ is now known as qyliss

23:42 ckauhaus_ has joined #nixos-security

23:42 primeos_ has joined #nixos-security

23:46 ckauhaus has quit [*.net *.split]

23:46 andi- has quit [*.net *.split]

23:46 primeos has quit [*.net *.split]

23:46 elvishjerricco has quit [*.net *.split]