Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 17 Oct 2019 23:06:38 +0200
From: Ludovic Courtès <ludo@....org>
To: oss-security@...ts.openwall.com
Cc: Michael Orlitzky <michael@...itzky.com>
Subject: CVE-2019-18192: Insecure permissions on Guix profile directory

Hello,

GNU Guix is a transactional package manager and associated GNU/Linux
distribution.

Similar to what Michael Orlitzky reported for Nix (CVE-2019-17365),
the profile directory in GNU Guix would be world-writable, allowing a
malicious user to populate the profile of a user that has never logged
in on the machine.

This issue has been assigned CVE-2019-18192 and affects all versions of
Guix up to 1.0.1 included.  The fix is similar to that written for Nix
by Eelco Dolstra (the build daemon of Guix derives from that of Nix).
It can be deployed via ‘guix pull’ as specified in the announcement below.

Announcement:
https://guix.gnu.org/blog/2019/insecure-permissions-on-profile-directory-cve-2019-18192/

Issue:
https://issues.guix.gnu.org/issue/37744

Commit:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=81c580c8664bfeeb767e2c47ea343004e88223c7

Ludo’.

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.