Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Oct 2019 23:06:38 +0200
From: Ludovic Courtès <>
Cc: Michael Orlitzky <>
Subject: CVE-2019-18192: Insecure permissions on Guix profile directory


GNU Guix is a transactional package manager and associated GNU/Linux

Similar to what Michael Orlitzky reported for Nix (CVE-2019-17365),
the profile directory in GNU Guix would be world-writable, allowing a
malicious user to populate the profile of a user that has never logged
in on the machine.

This issue has been assigned CVE-2019-18192 and affects all versions of
Guix up to 1.0.1 included.  The fix is similar to that written for Nix
by Eelco Dolstra (the build daemon of Guix derives from that of Nix).
It can be deployed via ‘guix pull’ as specified in the announcement below.





Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.