[Nix-dev] Bash CVE-2014-6271

Ricardo M. Correia rcorreia at wizy.org
Thu Sep 25 15:41:51 CEST 2014 

On Wed, Sep 24, 2014 at 11:34 PM, Peter Simons <simons at cryp.to> wrote:

> If you are worried about Bash CVE-2014-6271 (you should) and don't want
> to wait for Hydra to re-build the world, then check out
>
>   https://github.com/NixOS/nixpkgs/pull/4257#issuecomment-56727114
>
> to see how to replace the bash binary in your running system without
> triggering re-builds.
>

This does appear to work (thanks!), but I'm having some issues with it.

Namely, when I run "nixos-rebuild dry-run" on my laptop, instead of taking
3 seconds to finish, now it takes more than 65 minutes (!). It seems to be
CPU-bound during the whole time. Also, take into account my laptop a
relatively fast CPU - a quad-core i7.

My Hydra server also took around 65 minutes to evaluate the expressions of
the 4 machines in my network (I believe usually it doesn't take more than a
couple of minutes).

In my laptop, this is the process which seems to be taking 100% CPU during
the whole time:

root     16031 83.6  5.8 507344 471848 pts/1   R+   14:16  49:29
/nix/store/fxik1nhqc4dkb72wl5cgb4fxxxlcrlfz-nix-1.7/bin/nix-instantiate
--add-root /tmp/nix-build.jHT5_9/derivation --indirect -A system
<nixpkgs/nixos>

I know this feature is just a temporary workaround, but it's also a bad
user experience. From a user perspective, it seemed like the process simply
got stuck in an infinite loop.
In contrast, compare this to apt-get, which doesn't take more than a couple
of minutes to install a security fix...

Also, I'm not sure if this is expected, but when I first tried to run
"nixos-rebuild dry-run" with this workaround applied, it started to
download and compile bash even though the man page of nixos-rebuild
specifically says:

       dry-run
           Simply show what store paths would be built or downloaded by any
of the operations above.

Still, thanks for this feature because even though it's slow, it's still a
lot better than waiting for everything to rebuild!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140925/ee2b7285/attachment.html

More information about the nix-dev mailing list