MichaelRaskin has quit [Read error: Connection reset by peer]
pie___ has joined #nixos-security
pie__ has quit [Ping timeout: 245 seconds]
ckauhaus has joined #nixos-security
periklis has joined #nixos-security
__Sander__ has joined #nixos-security
ekleog has quit [Quit: WeeChat 2.2]
ekleog has joined #nixos-security
pie_ has joined #nixos-security
<pie_> I had an idea, I'm not sure it's good, and I'm not sure how to implement it... : I want to add colored borders to my ssh terminals similar to how qubes adds borders around it's VMs
periklis has quit [Ping timeout: 272 seconds]
periklis has joined #nixos-security
periklis has quit [Remote host closed the connection]
pietranera has joined #nixos-security
<pietranera> https://seclists.org/oss-sec/2019/q1/119 - CVE-2019-5736: runc container breakout (all versions)
<gchristensen> neat.
<gchristensen> I suspect we're not vulnerable
<Foxboron> gchristensen: I'm curious. How?
<gchristensen> "overwrite the host runc binary"
<gchristensen> nobody can overwrite nix store paths
<gchristensen> [root@Morbo:/home/grahamc]# echo "hi" > /nix/store/ij6wirzff9id7jr071p04w4nk6hksc3y-bash-interactive-4.4-p23/bin/bash
<Foxboron> I could maybe forward the POC if you want to be sure
<gchristensen> bash: /nix/store/ij6wirzff9id7jr071p04w4nk6hksc3y-bash-interactive-4.4-p23/bin/bash: Read-only file system
<gchristensen> sure
<gchristensen> I'll try it out :)
<Foxboron> gchristensen: gpg keyid?
<gchristensen> available here: https://nixos.org/nixos/security.html http://twitter.com/grhmc and over WKD at graham@grahamc.com
<Foxboron> thanks
* gchristensen excitedly awaits
<gchristensen> Foxboron: do you mind discussing some of this in a PM? obviously eliding specifics about what you sent me
<Foxboron> Um. Can try.
<pie_> "Several vendors have asked for exploit code to ensure that the patches actually solve the issue. Due to the severity of the issue (especially for public cloud vendors), we decided to provide the attached exploit code."
<pie_> It doesnt *look* like its actually attached to the email, not sure how that works
<pietranera> yeah, I noticed that too.
<gchristensen> they likely sent the email elsewhere without the attached exploit
<pie_> thats my guess
<pietranera> > As per OpenWall rules, this exploit code will be published *publicly* 7 days after the CRD (which is 2019-02-18).
<{^_^}> error: syntax error, unexpected ',', expecting ')', at (string):218:22
<pietranera> sorry bot
andi- has quit [Ping timeout: 250 seconds]
andi- has joined #nixos-security
<Foxboron> pie_: No. It's not attached. It's the unedited embargo email. So the paragraph is there
<gchristensen> pretty sure NixOS is not vulnerable
<gchristensen> I can't conclusively say it is _not_, but I'm pretty sure it is not
<pietranera> The disclosure talks about "correct use of user namespaces", so I guess one could try to mitigate anyway?
__Sander__ has quit [Quit: Konversation terminated!]
qyliss_ has joined #nixos-security
qyliss has quit [Disconnected by services]
qyliss_ is now known as qyliss
ckauhaus_ has joined #nixos-security
primeos_ has joined #nixos-security
ckauhaus has quit [*.net *.split]
andi- has quit [*.net *.split]
primeos has quit [*.net *.split]
elvishjerricco has quit [*.net *.split]