Date: Thu, 17 Oct 2019 23:06:38 +0200 From: Ludovic Courtès <ludo@....org> To: oss-security@...ts.openwall.com Cc: Michael Orlitzky <michael@...itzky.com> Subject: CVE-2019-18192: Insecure permissions on Guix profile directory Hello, GNU Guix is a transactional package manager and associated GNU/Linux distribution. Similar to what Michael Orlitzky reported for Nix (CVE-2019-17365), the profile directory in GNU Guix would be world-writable, allowing a malicious user to populate the profile of a user that has never logged in on the machine. This issue has been assigned CVE-2019-18192 and affects all versions of Guix up to 1.0.1 included. The fix is similar to that written for Nix by Eelco Dolstra (the build daemon of Guix derives from that of Nix). It can be deployed via ‘guix pull’ as specified in the announcement below. Announcement: https://guix.gnu.org/blog/2019/insecure-permissions-on-profile-directory-cve-2019-18192/ Issue: https://issues.guix.gnu.org/issue/37744 Commit: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=81c580c8664bfeeb767e2c47ea343004e88223c7 Ludo’. Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.