[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-18192: Insecure permissions on Guix profile directory
From:       Ludovic_Courtès <ludo () gnu ! org>
Date:       2019-10-17 21:06:38
Message-ID: 87d0evjd41.fsf () gnu ! org
[Download RAW message or body]


Hello,

GNU  Guix is a transactional package manager and associated GNU/Linux
distribution.

Similar to what Michael Orlitzky reported for Nix (CVE-2019-17365),
the profile directory in GNU  Guix would be world-writable, allowing a
malicious user to populate the profile of a user that has never logged
in on the machine.

This issue has been assigned CVE-2019-18192 and affects all versions of
Guix up to 1.0.1 included.  The fix is similar to that written for Nix
by Eelco Dolstra (the build daemon of Guix derives from that of Nix).
It can be deployed via ‘guix pull' as specified in the announcement below.

Announcement:
https://guix.gnu.org/blog/2019/insecure-permissions-on-profile-directory-cve-2019-18192/

Issue:
https://issues.guix.gnu.org/issue/37744

Commit:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=81c580c8664bfeeb767e2c47ea343004e88223c7

Ludo'.

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]