[Nix-dev] Bash CVE-2014-6271
Luca Bruno
lethalman88 at gmail.com
Thu Sep 25 16:10:22 CEST 2014
On 25/09/2014 15:41, Ricardo M. Correia wrote:
>
> Namely, when I run "nixos-rebuild dry-run" on my laptop, instead of
> taking 3 seconds to finish, now it takes more than 65 minutes (!). It
> seems to be CPU-bound during the whole time. Also, take into account
> my laptop a relatively fast CPU - a quad-core i7.
>
> My Hydra server also took around 65 minutes to evaluate the
> expressions of the 4 machines in my network (I believe usually it
> doesn't take more than a couple of minutes).
>
> In my laptop, this is the process which seems to be taking 100% CPU
> during the whole time:
>
> root 16031 83.6 5.8 507344 471848 pts/1 R+ 14:16 49:29
> /nix/store/fxik1nhqc4dkb72wl5cgb4fxxxlcrlfz-nix-1.7/bin/nix-instantiate --add-root
> /tmp/nix-build.jHT5_9/derivation --indirect -A system <nixpkgs/nixos>
>
> I know this feature is just a temporary workaround, but it's also a
> bad user experience. From a user perspective, it seemed like the
> process simply got stuck in an infinite loop.
> In contrast, compare this to apt-get, which doesn't take more than a
> couple of minutes to install a security fix...
>
> Also, I'm not sure if this is expected, but when I first tried to run
> "nixos-rebuild dry-run" with this workaround applied, it started to
> download and compile bash even though the man page of nixos-rebuild
> specifically says:
>
> dry-run
> Simply show what store paths would be built or downloaded
> by any of the operations above.
>
> Still, thanks for this feature because even though it's slow, it's
> still a lot better than waiting for everything to rebuild!
I did it on the host and on the containers without any trouble. But I
don't exclude the fact that this problem can happen.
More information about the nix-dev
mailing list