[Nix-dev] Bash CVE-2014-6271

roconnor at theorem.ca roconnor at theorem.ca
Sun Sep 28 23:39:14 CEST 2014 

I've sent out PR#4313 to address the slowness issue: 
https://github.com/NixOS/nixpkgs/pull/4313

On Sun, 28 Sep 2014, roconnor at theorem.ca wrote:

> After studying pkgs/build-support/replace-dependency.nix I'm prepraring a 
> preliminary patch for it that should make the computation a zillion times 
> faster.
>
> The dry-run thing not being a dry run is still a bit of a mystery to me, but 
> replace-dependency.nix does do things that are a little strange such as 
> "builtins.unsafeDiscardStringContext".
>
> On Thu, 25 Sep 2014, Ricardo M. Correia wrote:
>
>>  On Wed, Sep 24, 2014 at 11:34 PM, Peter Simons <simons at cryp.to> wrote:
>>        If you are worried about Bash CVE-2014-6271 (you should) and don't
>>        want
>>        to wait for Hydra to re-build the world, then check out
>>
>>          https://github.com/NixOS/nixpkgs/pull/4257#issuecomment-56727114
>>
>>        to see how to replace the bash binary in your running system without
>>        triggering re-builds.
>>
>>
>>  This does appear to work (thanks!), but I'm having some issues with it.
>>  Namely, when I run "nixos-rebuild dry-run" on my laptop, instead of taking
>>  3 seconds to finish, now it takes more than 65 minutes (!). It seems to be
>>  CPU-bound during the
>>  whole time. Also, take into account my laptop a relatively fast CPU - a
>>  quad-core i7.
>>
>>  My Hydra server also took around 65 minutes to evaluate the expressions of
>>  the 4 machines in my network (I believe usually it doesn't take more than
>>  a couple of minutes).
>>
>>  In my laptop, this is the process which seems to be taking 100% CPU during
>>  the whole time:
>>
>>  root     16031 83.6  5.8 507344 471848 pts/1   R+   14:16  49:29
>>  /nix/store/fxik1nhqc4dkb72wl5cgb4fxxxlcrlfz-nix-1.7/bin/nix-instantiate
>>  --add-root
>>  /tmp/nix-build.jHT5_9/derivation --indirect -A system <nixpkgs/nixos>
>>
>>  I know this feature is just a temporary workaround, but it's also a bad
>>  user experience. From a user perspective, it seemed like the process
>>  simply got stuck in an infinite
>>  loop.
>>  In contrast, compare this to apt-get, which doesn't take more than a
>>  couple of minutes to install a security fix...
>>
>>  Also, I'm not sure if this is expected, but when I first tried to run
>>  "nixos-rebuild dry-run" with this workaround applied, it started to
>>  download and compile bash even
>>  though the man page of nixos-rebuild specifically says:
>>
>>         dry-run
>>             Simply show what store paths would be built or downloaded by
>>  any of the operations above.
>>
>>  Still, thanks for this feature because even though it's slow, it's still a
>>  lot better than waiting for everything to rebuild!
>> 
>> 
>
>

-- 
Russell O'Connor                                      <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''

More information about the nix-dev mailing list