libgit2 1.4.3 directory owner validation breaks Guix

  • Open
  • quality assurance status badge
Details
4 participants
  • Ludovic Courtès
  • Maxim Cournoyer
  • Maxime Devos
  • André Batista
Owner
unassigned
Submitted by
André Batista
Severity
important
A
A
André Batista wrote on 13 May 2022 17:21
guix system reconfigure fails on channel validation
(address . bug-guix@gnu.org)
Yn53d4GR+kohZh/b@andel
Hello Guix!

Recently, I've not been able to reconfigure some of my guix systems
because guix fails to forward validate the commits in between the
current system deployment and the newer one. This appears to be
related to the new libgit2 version 1.4.3[1][2], which addressed CVE
2022-24765, since there was no change to the related guix routines
on the time lapse since the last deploy.

This is the error I'm getting:

$ sudo guix system --fallback -c 3 -M 3 reconfigure myconfig.scm
Backtrace:
19 (primitive-load "/home/user/.config/guix/current/bin/g?")
In guix/ui.scm:
2230:7 18 (run-guix . _)
2193:10 17 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1752:10 16 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
829:3 15 (_)
809:4 14 (call-with-status-report _ _)
In guix/scripts/system.scm:
1253:4 13 (_)
In ice-9/boot-9.scm:
1752:10 12 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
658:37 11 (thunk)
1320:8 10 (call-with-build-handler #<procedure b445f18 at guix/u?> ?)
2129:25 9 (run-with-store #<store-connection 256.99 b0934d8> _ # _ ?)
In guix/scripts/system.scm:
1277:15 8 (_ _)
819:5 7 (perform-action reconfigure #<<image> name: #f format:?> ?)
In guix/scripts/system/reconfigure.scm:
345:3 6 (check-forward-update _ #:current-channels _)
In srfi/srfi-1.scm:
691:23 5 (filter-map #<procedure ba4c460 at guix/scripts/syst?> . #)
In guix/scripts/system/reconfigure.scm:
352:37 4 (_ #<<channel> name: guix url: "/src/guix.git" branch: ?>)
In guix/git.scm:
469:7 3 (update-cached-checkout _ #:ref _ #:recursive? _ # _ # _ ?)
In git/bindings.scm:
77:2 2 (raise-git-error _)
In ice-9/boot-9.scm:
1685:16 1 (raise-exception _ #:continuable? _)
1685:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Git error: repository path '/src/guix.git/' is not owned by current user


-----

And these are the commits being compared:

$ guix system describe
Generation 214 May 06 2022 22:47:43 (current)
file name: /var/guix/profiles/system-214-link
canonical file name: /gnu/store/b0wrzz8sxqi9hywpqz29cm73l9adxjy9-system
label: GNU with Linux-Libre-Atom 5.17.5
bootloader: grub
root device: label: "rootfs"
kernel: /gnu/store/xmdskyk85sypr4wgf5iwg5iid08l4aiq-linux-libre-atom-5.17.5/bzImage
channels:
guix:
repository URL: /src/guix.git
branch: master
commit: ee70ed5bf50e781a6a43985211aa763e28db62b9
configuration file: /gnu/store/g653hksfz0iwnbpynaq2mx4nv7ayb7r7-configuration.scm


$ guix describe
Generation 200 May 12 2022 13:48:01 (current)
guix a1cb645
repository URL: /src/guix.git
branch: master
commit: a1cb645d83d085382eaf64f4c097642aa47c297a

Any thoughts?

M
M
Maxime Devos wrote on 13 May 2022 17:26
1f9a73621562c5fe96a0d254aef893f95ab33ff0.camel@telenet.be
André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
Toggle quote (2 lines)
> Any thoughts?

For now, let 'guile-git' use the libgit2-1.3 variant, look into
relaxing the ‘is owned by’ check later?

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn54jBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7m4iAPoCZrJ2G9KOnpQMrRr0NRkW6KMp
d8HjPHGZlNWtk466eQD/ZG3OedO6KSPKmWu7im29bg1CI4Ntuo3DfL3YkwHakAo=
=VcFh
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 13 May 2022 17:28
c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be
André Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
Toggle quote (2 lines)
> Any thoughts?

According to
the ownership check can be relaxed by setting an option. The guile-
git library would need to be adjusted to support the option though.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYn55HRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sCyAQDfwyWmtyToJRDlZV70quA6O2XJ
q55xtkI/mmttol638gEAr8O7Qb6uM7vbIM0oSQRHJgNiJVKatgfUAHipcnWC3Ak=
=Fxlz
-----END PGP SIGNATURE-----


A
A
André Batista wrote on 18 May 2022 19:38
Re: bug#55399: Temporary fix
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 55399@debbugs.gnu.org)
YoUvHJ24iYDBrO9v@andel
Hi Maxime!

sex 13 mai 2022 �s 17:28:29 (1652473709), maximedevos@telenet.be enviou:
Toggle quote (8 lines)
> Andr� Batista schreef op vr 13-05-2022 om 12:21 [-0300]:
> > Any thoughts?
>
> According to
> <https://github.com/libgit2/libgit2/pull/6267/commits/574b5ee7bb112987443916cdedcfc8e274121e9d>,
> the ownership check can be relaxed by setting an option. The guile-
> git library would need to be adjusted to support the option though.

Thanks for your pointers. I've only had a substitute* hammer and this
certainly seemed like a loose nail, so I've hammered my way through.

The patch bellow addresses the issue on guix side only and it was
applied/tested locally before b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab
So this later commit would need to be reverted, otherwise guix will
not use the new libgit2 v1.4.3 anyway.

Anyway, the proper think to do is to update guile-git, so I'll be
opening an issue there.

Happy hacking!
From 370bf9bec714747244da00a7fd793da04c49c523 Mon Sep 17 00:00:00 2001
In-Reply-To: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
References: <c5a0381129feb0a20c4642ca97409e967471a537.camel@telenet.be>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Tue, 17 May 2022 19:18:49 -0300
Subject: [PATCH] guix/git: Disable owner validation when updating cache.
To: 55399@debbugs.gnu.org
Cc: maximedevos@telenet.be

---
gnu/packages/guile.scm | 40 +++++++++++++++++++++++++++++++++++++++-
guix/git.scm | 3 +++
2 files changed, 42 insertions(+), 1 deletion(-)

Toggle diff (70 lines)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9d58c8d4cd..b120f3eefe 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -816,6 +816,44 @@ (define-public guile-git
(sha256
(base32
"11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ (substitute* "git/settings.scm"
+ (("set-user-agent!))")
+ (string-append "set-user-agent!\n"
+ " set-owner-validation!))"))
+ (("GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)" m)
+ (string-append m "\n" "(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)"))
+
+ (("(GIT_OPT_SET_SSL_CIPHERS).*" _ m)
+ (string-append m " 16)\n"))
+
+ (("(GIT_OPT_GET_USER_AGENT).*" _ m)
+ (string-append m " 17)\n"
+ "(define GIT_OPT_ENABLE_OFS_DELTA 18)\n"
+ "(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)\n"
+ "(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)\n"
+ "(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)\n"
+ "(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)\n"
+ "(define GIT_OPT_SET_ALLOCATOR 23)\n"
+ "(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)\n"
+ "(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)\n"
+ "(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)\n"
+ "(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)\n"
+ "(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)\n"
+ "(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)\n"
+ "(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)\n"
+ "(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)\n"
+ "(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)\n"
+ "(define GIT_OPT_GET_EXTENSIONS 33)\n"
+ "(define GIT_OPT_SET_EXTENSIONS 34)\n"
+ "(define GIT_OPT_GET_OWNER_VALIDATION 35)\n"
+ "(define GIT_OPT_SET_OWNER_VALIDATION 36)\n\n"
+ "(define set-owner-validation!\n"
+ " (let ((proc (libgit2->procedure* \"git_libgit2_opts\" (list int int))))\n"
+ " (lambda* (owner-validation)\n"
+ " (proc GIT_OPT_SET_OWNER_VALIDATION owner-validation))))\n")))))
(patches (search-patches
"guile-git-adjust-for-libgit2-1.2.0.patch"))))
(build-system gnu-build-system)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..ced6a9c62c 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -23,6 +23,7 @@
(define-module (guix git)
#:use-module (git)
#:use-module (git object)
+ #:use-module (git settings)
#:use-module (git submodule)
#:use-module (guix i18n)
#:use-module (guix base32)
@@ -463,6 +464,8 @@ (define canonical-ref
(repository (if cache-exists?
(repository-open cache-directory)
(clone/swh-fallback url ref cache-directory))))
+ ;; Disable owner validation for local repos see #55399
+ (set-owner-validation! 0)
;; Only fetch remote if it has not been cloned just before.
(when (and cache-exists?
(not (reference-available? repository ref)))
L
L
Ludovic Courtès wrote on 23 May 2022 16:18
Re: bug#55399: guix system reconfigure fails on channel validation
(name . André Batista)(address . nandre@riseup.net)
87a6b85o37.fsf_-_@gnu.org
Hi André,

André Batista <nandre@riseup.net> skribis:

Toggle quote (3 lines)
> Anyway, the proper think to do is to update guile-git, so I'll be
> opening an issue there.

Yes please! You pretty much already have the code, so we could put
together a new Guile-Git release instead of carrying these modifications
in Guix proper.

(For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

Thanks!

Ludo’.
L
L
Ludovic Courtès wrote on 23 May 2022 16:20
control message for bug #55399
(address . control@debbugs.gnu.org)
878rqs5o0m.fsf@gnu.org
retitle 55399 libgit2 1.4.3 directory owner validation breaks Guix
quit
L
L
Ludovic Courtès wrote on 23 May 2022 16:20
(address . control@debbugs.gnu.org)
877d6c5o0h.fsf@gnu.org
severity 55399 important
quit
A
A
André Batista wrote on 24 May 2022 03:44
Re: bug#55399: guix system reconfigure fails on channel validation
(name . Ludovic Courtès)(address . ludo@gnu.org)
Yow4dwnY1SdpL3qm@andel
Hi!

seg 23 mai 2022 �s 16:18:52 (1653333532), ludo@gnu.org enviou:
Toggle quote (4 lines)
> Yes please! You pretty much already have the code, so we could put
> together a new Guile-Git release instead of carrying these modifications
> in Guix proper.

A
A
André Batista wrote on 25 May 2022 01:44
(name . Ludovic Courtès)(address . ludo@gnu.org)
Yo1tzQLys4R8aAyA@andel
Hi again,

seg 23 mai 2022 às 16:18:52 (1653333532), ludo@gnu.org enviou:
Toggle quote (4 lines)
> ...
> (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)

After upgrading guile-git, the attached patches disables owner
validation and reverts the above commit which made Guix's guile-git
depend on libgit2 1.3 instead of latest.

Cheers!
From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:17 -0300
Subject: [PATCH] guix: Disable owner validation when updating cached checkout

* guix/git.scm (update-cached-checkout): Disable owner validation
checks.
---
guix/git.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (29 lines)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..d5e12188a2 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2021 Kyle Meyer <kyle@kyleam.com>
;;; Copyright © 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2022 André Batista <nandre@riseup.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,7 @@
(define-module (guix git)
#:use-module (git)
#:use-module (git object)
+ #:use-module (git settings)
#:use-module (git submodule)
#:use-module (guix i18n)
#:use-module (guix base32)
@@ -463,6 +465,8 @@ (define canonical-ref
(repository (if cache-exists?
(repository-open cache-directory)
(clone/swh-fallback url ref cache-directory))))
+ ;; Disable owner validation. See <https://issues.guix.gnu.org/55399>.
+ (set-owner-validation! #f)
;; Only fetch remote if it has not been cloned just before.
(when (and cache-exists?
(not (reference-available? repository ref)))
--
2.36.0
From f9de10676c15a65d6df7e430efbb84cebb431ac9 Mon Sep 17 00:00:00 2001
In-Reply-To: <87a6b85o37.fsf_-_@gnu.org>
References: <87a6b85o37.fsf_-_@gnu.org>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
To: 55399@debbugs.gnu.org
Date: Tue, 24 May 2022 19:38:18 -0300
Subject: [PATCH] gnu: guile-git: Use latest libgit2

* gnu/packages/guile.scm (guile-git) [inputs]: Use latest libgit2.
Reverts commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab.
---
gnu/packages/guile.scm | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

Toggle diff (15 lines)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a9e04cb476..138fb4d6bc 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -833,9 +833,7 @@ (define-public guile-git
(native-inputs
(list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
(inputs
- ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking Guix. Use
- ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
- (list guile-3.0 libgit2-1.3))
+ (list guile-3.0 libgit2))
(propagated-inputs
(list guile-bytestructures))
(synopsis "Guile bindings for libgit2")
-----BEGIN PGP SIGNATURE-----

iQG5BAABCgAjFiEEXo3OJhMk/jL9rLM1Nj97Uq5OMvYFAmKNbcsFgwPCZwAACgkQ
Nj97Uq5OMvb0AQv9HGwqf48upFCiCc0W+Ag9eQ1pceB4Lkl9GxLNJRoc9bfb3Wch
kAKKuBlyDzn5Tp/WwQtKcNoR0X6OEel2lNsM6NLoJdlxMN0QDU674Tnt16r5BZfD
Oam2s9vSdf+C99nrFxwAXd1Jqi5vLLfXNIcA9bArRgF8CnooOX8VWYbPvtTaqxNN
Z0i1XE5qtOtX+Jx3pwmF1Ve/dx5xP1+JZ11b9RqGWv+is9AbexBLl8WNna3KC/qL
shFAwCMiCSLgBfPhzhNolBdvrVeBkWkLGF+6L5WsGLiK3McBpv58UI9jJTTnETG0
EeNtzlBFMzyJUU2K8THdyoFTNclehZ0xI1W+DqzpcLdjz9c2Uy/4NvCtOJGYBXyy
g7YkZtYbsIYvx0LcG1ntcpDuNB7PaqovprTOYGUF9ntbrpCAOvIkebIVQRAcHOQt
lcijp4KWv+ZPt8dVDbPZ87Z7QAuAj64K2rpJlz+2y0HfuYPWTLXpaCz4LUqiWU88
LGX9yqQ6QXMXME9Z
=Or2r
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 9 Jun 2022 22:51
control message for bug #55399
(address . control@debbugs.gnu.org)
878rq5imri.fsf@gmail.com
tags 55399 + patch
quit
M
M
Maxime Devos wrote on 28 Aug 2022 12:44
Re: guix system reconfigure fails on channel validation
c778d6b6-d93e-a62a-e771-74ac413851bd@telenet.be
I'm preparing a _complete_ set of patches to Guix to fix this, I'll send
them once tested.
Greetings,
Maxime.
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 28 Aug 2022 12:58
[PATCH 2/2] gnu: guile-git: Add patches to support owner validation, and use libgit2@1.4.3.
(address . 55399@debbugs.gnu.org)(name . Maxime Devos)(address . maximedevos@telenet.be)
20220828105827.26161-2-maximedevos@telenet.be
These two changes have to be done at the same time -- if the libgit2
dependency is updated first, then we would have a commit during which
"guix pull" is broken when using local channels (see:
https://issues.guix.gnu.org/55399). And if the patches are added first,
then the build of guile-git breaks because the tests assume a new libgit2.

Together with the previous commit, this fixes

Tested with (first step):

$ ./pre-inst-env guix pull --url=$PWD
--commit=b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b
--profile=../guix-with-libgit2 --disable-authentication
--channels=../channels.scm

where b22ddb51d8dfa4ab7f683c99ffc1fa6f44e0dc6b is the commit after applying
these two patches. Make sure to only put the Guix channel in ../channels.scm,
because of --disable-authentication. This builds a Guix that uses the new
libgit2 and patched guile-git. Then, it is tested that pulling still works
from a local checkout:

$ ../guix-with-libgit2/bin/guix pull --url=$PWD
--commit=c3d9ddbf3d34b58261ab9e03c794f5fbad34142d --channels=../channels.scm
--disable-authentication -p../another-guix

where c3d9ddbf3d34b58261ab9e03c794f5fbad34142d is a commit that hasn't been
seen before by the "guix pull" machinery.

* gnu/packages/patches/guile-git-fix-git-opt.patch: New patch.
* gnu/packages/patches/guile-git-set-owner-validation.patch: New patch.
* gnu/packages/patches/guile-git-test-owner-validation.patch: New patch.
* gnu/packages/guile.scm (guile-git)[source]{patches}: Add new patches.
* gnu/local.mk (dist_patch_DATA): Register new patches.
---
gnu/local.mk | 3 +
gnu/packages/guile.scm | 15 +-
.../patches/guile-git-fix-git-opt.patch | 57 +++++++
.../guile-git-set-owner-validation.patch | 41 +++++
.../guile-git-test-owner-validation.patch | 153 ++++++++++++++++++
5 files changed, 264 insertions(+), 5 deletions(-)
create mode 100644 gnu/packages/patches/guile-git-fix-git-opt.patch
create mode 100644 gnu/packages/patches/guile-git-set-owner-validation.patch
create mode 100644 gnu/packages/patches/guile-git-test-owner-validation.patch

Toggle diff (325 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 412d512775..081f240157 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1244,6 +1244,9 @@ dist_patch_DATA = \
%D%/packages/patches/guile-fibers-wait-for-io-readiness.patch \
%D%/packages/patches/guile-gdbm-ffi-support-gdbm-1.14.patch \
%D%/packages/patches/guile-git-adjust-for-libgit2-1.2.0.patch \
+ %D%/packages/patches/guile-git-fix-git-opt.patch \
+ %D%/packages/patches/guile-git-set-owner-validation.patch \
+ %D%/packages/patches/guile-git-test-owner-validation.patch \
%D%/packages/patches/guile-present-coding.patch \
%D%/packages/patches/guile-rsvg-pkgconfig.patch \
%D%/packages/patches/guile-emacs-fix-configure.patch \
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index d320763a61..87b35e2db2 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -16,7 +16,7 @@
;;; Copyright © 2018 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2019 Taylan Kammer <taylan.kammer@gmail.com>
;;; Copyright © 2020, 2021, 2022 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2021, 2022 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Timothy Sample <samplet@ngyro.com>
;;;
;;; This file is part of GNU Guix.
@@ -817,7 +817,14 @@ (define-public guile-git
(base32
"11a51acibwi2hpaygmrpn6nwbr4lqalc87ihrgj3mhz6swbsk9n7"))
(patches (search-patches
- "guile-git-adjust-for-libgit2-1.2.0.patch"))))
+ "guile-git-adjust-for-libgit2-1.2.0.patch"
+ ;; These three patches from
+ ;; <https://gitlab.com/guile-git/guile-git/-/issues/26>
+ ;; together add procedures to disable/enable owner validation,
+ ;; which is required for fixing <https://issues.guix.gnu.org/55399>.
+ "guile-git-fix-git-opt.patch"
+ "guile-git-set-owner-validation.patch"
+ "guile-git-test-owner-validation.patch"))))
(build-system gnu-build-system)
(arguments
`(#:make-flags '("GUILE_AUTO_COMPILE=0") ; to prevent guild warnings
@@ -833,9 +840,7 @@ (define-public guile-git
(native-inputs
(list pkg-config autoconf automake texinfo guile-3.0 guile-bytestructures))
(inputs
- ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking Guix. Use
- ;; 1.3 for now; see <https://issues.guix.gnu.org/55399> for alternatives.
- (list guile-3.0 libgit2-1.3))
+ (list guile-3.0 libgit2))
(propagated-inputs
(list guile-bytestructures))
(synopsis "Guile bindings for libgit2")
diff --git a/gnu/packages/patches/guile-git-fix-git-opt.patch b/gnu/packages/patches/guile-git-fix-git-opt.patch
new file mode 100644
index 0000000000..050c72818a
--- /dev/null
+++ b/gnu/packages/patches/guile-git-fix-git-opt.patch
@@ -0,0 +1,57 @@
+From 99054837c6616e06c48c944094114ae8c9b628f3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Thu, 19 May 2022 09:35:25 -0300
+To: incoming+guile-git-guile-git-1792500-1ffl9ys3eg9dz7xscimedvf7n-merge-request@incoming.gitlab.com
+Subject: Update GIT_OPT definitions to match upstream enum
+
+* git/settings.scm: Update definitions to match libgit2 v. 1.4.3.
+
+---
+ git/settings.scm | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 83e2483..4621f43 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,5 +1,6 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
++;;; Copyright © 2022 André Batista <nandre@riseup.net>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -38,8 +39,28 @@
+ (define GIT_OPT_SET_SSL_CERT_LOCATIONS 12)
+ (define GIT_OPT_SET_USER_AGENT 13)
+ (define GIT_OPT_ENABLE_STRICT_OBJECT_CREATION 14)
+-(define GIT_OPT_SET_SSL_CIPHERS 15)
+-(define GIT_OPT_GET_USER_AGENT 16)
++(define GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION 15)
++(define GIT_OPT_SET_SSL_CIPHERS 16)
++(define GIT_OPT_GET_USER_AGENT 17)
++(define GIT_OPT_ENABLE_OFS_DELTA 18)
++(define GIT_OPT_ENABLE_FSYNC_GITDIR 19)
++(define GIT_OPT_GET_WINDOWS_SHAREMODE 20)
++(define GIT_OPT_SET_WINDOWS_SHAREMODE 21)
++(define GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION 22)
++(define GIT_OPT_SET_ALLOCATOR 23)
++(define GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY 24)
++(define GIT_OPT_GET_PACK_MAX_OBJECTS 25)
++(define GIT_OPT_SET_PACK_MAX_OBJECTS 26)
++(define GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS 27)
++(define GIT_OPT_ENABLE_HTTP_EXPECT_CONTINUE 28)
++(define GIT_OPT_GET_MWINDOW_FILE_LIMIT 29)
++(define GIT_OPT_SET_MWINDOW_FILE_LIMIT 30)
++(define GIT_OPT_SET_ODB_PACKED_PRIORITY 31)
++(define GIT_OPT_SET_ODB_LOOSE_PRIORITY 32)
++(define GIT_OPT_GET_EXTENSIONS 33)
++(define GIT_OPT_SET_EXTENSIONS 34)
++(define GIT_OPT_GET_OWNER_VALIDATION 35)
++(define GIT_OPT_SET_OWNER_VALIDATION 36)
+
+ (define set-tls-certificate-locations!
+ (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+--
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-set-owner-validation.patch b/gnu/packages/patches/guile-git-set-owner-validation.patch
new file mode 100644
index 0000000000..becef644ad
--- /dev/null
+++ b/gnu/packages/patches/guile-git-set-owner-validation.patch
@@ -0,0 +1,41 @@
+From 88091a17f8276b03c95837b422adf5b0b7eda79e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Thu, 19 May 2022 09:47:36 -0300
+Subject: [PATCH] settings: Add 'set-owner-validation!'.
+To: guile-git@gitlab.com
+
+* git/settings.scm: (set-owner-validation!): New procedure.
+---
+ git/settings.scm | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/git/settings.scm b/git/settings.scm
+index 4621f43..f6857d5 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -20,7 +20,8 @@
+ (define-module (git settings)
+ #:use-module (system foreign)
+ #:use-module (git bindings)
+- #:export (set-tls-certificate-locations!
++ #:export (set-owner-validation!
++ set-tls-certificate-locations!
+ set-user-agent!))
+
+ ;; 'git_libgit2_opt_t' enum defined in <git2/common.h>.
+@@ -62,6 +63,12 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+
++(define set-owner-validation!
++ (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
++ (lambda (owner-validation)
++ "Boolean: enable/disable owner validation checks. See CVE 2022-24765."
++ (proc GIT_OPT_SET_OWNER_VALIDATION (if owner-validation 1 0)))))
++
+ (define set-tls-certificate-locations!
+ (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '* '*))))
+ (lambda* (directory #:optional file)
+--
+2.36.0
+
diff --git a/gnu/packages/patches/guile-git-test-owner-validation.patch b/gnu/packages/patches/guile-git-test-owner-validation.patch
new file mode 100644
index 0000000000..3ef2fa3557
--- /dev/null
+++ b/gnu/packages/patches/guile-git-test-owner-validation.patch
@@ -0,0 +1,153 @@
+From 4a2a6d3723afc05b93edfe430c7f95abbe6db021 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
+Date: Tue, 14 Jun 2022 23:00:07 -0300
+Subject: [PATCH] settings: Add 'owner-validation?'.
+To: guile-git@gitlab.com
+
+* git/settings.scm: (owner-validation?): New procedure.
+* tests/settings.scm: Add owner-validation? tests.
+---
+ Makefile.am | 1 +
+ git/settings.scm | 13 ++++++++++++-
+ git/types.scm | 11 +++++++++++
+ tests/settings.scm | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 69 insertions(+), 1 deletion(-)
+ create mode 100644 tests/settings.scm
+
+diff --git a/Makefile.am b/Makefile.am
+index 0f92d4c..033033d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -95,6 +95,7 @@ TESTS = \
+ tests/remote.scm \
+ tests/rev-parse.scm \
+ tests/status.scm \
++ tests/settings.scm \
+ tests/submodule.scm \
+ tests/tag.scm \
+ tests/tree.scm
+diff --git a/git/settings.scm b/git/settings.scm
+index 5022945..582f519 100644
+--- a/git/settings.scm
++++ b/git/settings.scm
+@@ -1,6 +1,7 @@
+ ;;; Guile-Git --- GNU Guile bindings of libgit2
+ ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+ ;;; Copyright © 2022 André Batista <nandre@riseup.net>
++;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+ ;;;
+ ;;; This file is part of Guile-Git.
+ ;;;
+@@ -20,7 +21,9 @@
+ (define-module (git settings)
+ #:use-module (system foreign)
+ #:use-module (git bindings)
+- #:export (set-owner-validation!
++ #:use-module (git types)
++ #:export (owner-validation?
++ set-owner-validation!
+ set-tls-certificate-locations!
+ set-user-agent!))
+
+@@ -63,6 +66,14 @@
+ (define GIT_OPT_GET_OWNER_VALIDATION 35)
+ (define GIT_OPT_SET_OWNER_VALIDATION 36)
+
++(define owner-validation?
++ (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int '*))))
++ (lambda ()
++ "Boolean: Return owner validation setting."
++ (let ((out (make-int-pointer)))
++ (proc GIT_OPT_GET_OWNER_VALIDATION out)
++ (if (equal? (pointer->int out) 0) #f #t)))))
++
+ (define set-owner-validation!
+ (let ((proc (libgit2->procedure* "git_libgit2_opts" (list int int))))
+ (lambda (owner-validation)
+diff --git a/git/types.scm b/git/types.scm
+index 3503ccf..7609a8a 100644
+--- a/git/types.scm
++++ b/git/types.scm
+@@ -46,7 +46,9 @@
+ tree? pointer->tree tree->pointer
+ tree-entry? pointer->tree-entry tree-entry->pointer
+ submodule? pointer->submodule submodule->pointer
++ pointer->int
+ pointer->size_t
++ make-int-pointer
+ make-size_t-pointer
+ make-double-pointer))
+
+@@ -102,9 +104,18 @@
+ (define (make-double-pointer)
+ (bytevector->pointer (make-bytevector (sizeof '*))))
+
++(define (make-int-pointer)
++ (bytevector->pointer (make-bytevector (sizeof int))))
++
+ (define (make-size_t-pointer)
+ (bytevector->pointer (make-bytevector (sizeof size_t))))
+
++(define (pointer->int ptr)
++ (bytevector-sint-ref (pointer->bytevector ptr (sizeof int))
++ 0
++ (native-endianness)
++ (sizeof int)))
++
+ (define (pointer->size_t ptr)
+ (bytevector-uint-ref (pointer->bytevector ptr (sizeof size_t))
+ 0
+diff --git a/tests/settings.scm b/tests/settings.scm
+new file mode 100644
+index 0000000..a82c5ca
+--- /dev/null
++++ b/tests/settings.scm
+@@ -0,0 +1,45 @@
++;;; Guile-Git --- GNU Guile bindings of libgit2
++;;; Copyright © 2022 André Batista <nandre@riseup.net>
++;;;
++;;; This file is part of Guile-Git.
++;;;
++;;; Guile-Git is free software; you can redistribute it and/or modify it
++;;; under the terms of the GNU General Public License as published by
++;;; the Free Software Foundation; either version 3 of the License, or
++;;; (at your option) any later version.
++;;;
++;;; Guile-Git is distributed in the hope that it will be useful, but
++;;; WITHOUT ANY WARRANTY; without even the implied warranty of
++;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++;;; General Public License for more details.
++;;;
++;;; You should have received a copy of the GNU General Public License
++;;; along with Guile-Git. If not, see <http://www.gnu.org/licenses/>.
++
++(define-module (tests settings)
++ #:use-module (srfi srfi-64))
++
++(use-modules (tests helpers))
++(use-modules (git))
++
++(test-begin "settings")
++
++(libgit2-init!)
++
++(with-repository "simple" directory
++
++ (test-equal "disable owner validation"
++ #f
++ ((lambda ()
++ (set-owner-validation! #f)
++ (owner-validation?))))
++
++ (test-equal "enable owner validation"
++ #t
++ ((lambda ()
++ (set-owner-validation! #t)
++ (owner-validation?)))))
++
++(libgit2-shutdown!)
++
++(test-end)
+--
+2.36.0
+
--
2.37.1
M
M
Maxime Devos wrote on 28 Aug 2022 12:58
[PATCH 1/2] guix: Disable owner validation.
(address . 55399@debbugs.gnu.org)
20220828105827.26161-1-maximedevos@telenet.be
The original patch disabled it only when updating cached checkouts, but the
disabling persisted afterwards, making it stateful. To avoid statefulness, it
is disabled during with-libgit2 instead.

For compatibility with guile-git versions that do not yet have
set-owner-validation!, the setting is skipped when set-owner-validation! does
not exist.

* guix/git.scm (update-cached-checkout): Disable owner validation checks.

Co-Authored-By: André Batista <nandre@riseup.net>
---
guix/git.scm | 12 ++++++++++++
1 file changed, 12 insertions(+)

Toggle diff (46 lines)
diff --git a/guix/git.scm b/guix/git.scm
index 53e7219c8c..0fe6e65549 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2021 Kyle Meyer <kyle@kyleam.com>
;;; Copyright © 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2022 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2022 André Batista <nandre@riseup.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,7 @@
(define-module (guix git)
#:use-module (git)
#:use-module (git object)
+ #:use-module (git settings)
#:use-module (git submodule)
#:use-module (guix i18n)
#:use-module (guix base32)
@@ -117,6 +119,16 @@ (define-syntax-rule (with-libgit2 thunk ...)
;; but pointer finalizers used in guile-git may be called after shutdown,
;; resulting in a segfault. Hence, let's skip shutdown call for now.
(libgit2-init!)
+ ;; libgit2@1.4.3 ‘fixed’ a git CVE it never shared, breaking some uses
+ ;; of Guix channels (see <https://issues.guix.gnu.org/55399>). Disable
+ ;; the owner validation that does not fit in the security model in Guix.
+ ;;
+ ;; For compatibility with old guile-git that do not have
+ ;; 'set-owner-validation!', do nothing if 'set-owner-validation!'
+ ;; does not exist.
+ ((catch 'unbound-variable
+ (lambda () set-owner-validation!)
+ (lambda _ identity)) #false)
(unless %certificates-initialized?
(honor-system-x509-certificates!)
(set! %certificates-initialized? #t))

base-commit: d519305d83d08058e4def2c4d72fe62102d9599d
prerequisite-patch-id: 62949e6148bb8aae2f792aaf4d54f2a136351d28
prerequisite-patch-id: 72191ec47cb3876c5fcd6233880dea7dfc1b165f
prerequisite-patch-id: bbfd96d673e491ddd684e8270c90347547dceaa5
prerequisite-patch-id: fbdac7446d0c3f529f313f89cb9ba975d469d7ac
prerequisite-patch-id: d0a5804a92d868c5ee6726e6e0555a8af25e442c
--
2.37.1
M
M
Maxime Devos wrote on 28 Aug 2022 13:02
(address . 55399@debbugs.gnu.org)(name . André Batista)(address . nandre@riseup.net)
7db0f45d-b2ff-5ff9-691b-26775b0cf3c6@telenet.be
Oops, the test I did in the second test is bogus (I didn't test as root).
However, it appears that owner validation is properly disabled:
[inside the pulled guix]
Toggle quote (3 lines)
> scheme@(guix-user)> ,m (guix git)
> scheme@(guix git)> (owner-validation?) --> #true
> scheme@(guix git)> (with-libgit2 (owner-validation?)) --> #false
Greetings,
Maxime.
Attachment: OpenPGP_signature
M
A
A
André Batista wrote on 3 Feb 2023 04:48
Re: bug#55399: guix system reconfigure fails on channel validation
(name . Ludovic Courtès)(address . ludo@gnu.org)
Y9yEG1eXt74Qt2MB@andel
Hello,

ter 24 mai 2022 �s 20:44:13 (1653435853), nandre@riseup.net enviou:
Toggle quote (8 lines)
> seg 23 mai 2022 �s 16:18:52 (1653333532), ludo@gnu.org enviou:
> > (For now commit b6bfe9ea6a1b19159455b34f1af4ac00ef9b94ab changes
> > Guile-Git in Guix to depend on libgit2 1.3 as a workaround.)
>
> After upgrading guile-git, the attached patches disables owner
> validation and reverts the above commit which made Guix's guile-git
> depend on libgit2 1.3 instead of latest.

#61246 has an alternative solution to this issue. Newer libgit2
versions check for safe.directory configuration entries on user's
global scope. This means that instead of disabling owner validation
in guix code itself, users can exempt directories of their own
choosing. This is IMO a better solution and so the patches provided
here should be disregarded.

However, since libgit2 seems to have changed its API elsewhere after
1.3.x, I've avoided messing with guile-git inputs this time and so
it still depends on libgit2-1.3.

IMO, instead of upgrading libgit2 dependency and risk breaking
guile-git in unknown ways, we should work on revising guile-git's
conformance to latter libgit2 versions (it's currently on 1.5.1).
Meaning not trying to apply the patches Maxime provided, but
working upstream.

WDYT?

Cheers!
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 55399@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 55399
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch