oss-sec mailing list archives
CVE-2019-18192: Insecure permissions on Guix profile directory
From: Ludovic Courtès <ludo () gnu org>
Date: Thu, 17 Oct 2019 23:06:38 +0200
Hello, GNU Guix is a transactional package manager and associated GNU/Linux distribution. Similar to what Michael Orlitzky reported for Nix (CVE-2019-17365), the profile directory in GNU Guix would be world-writable, allowing a malicious user to populate the profile of a user that has never logged in on the machine. This issue has been assigned CVE-2019-18192 and affects all versions of Guix up to 1.0.1 included. The fix is similar to that written for Nix by Eelco Dolstra (the build daemon of Guix derives from that of Nix). It can be deployed via ‘guix pull’ as specified in the announcement below. Announcement: https://guix.gnu.org/blog/2019/insecure-permissions-on-profile-directory-cve-2019-18192/ Issue: https://issues.guix.gnu.org/issue/37744 Commit: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=81c580c8664bfeeb767e2c47ea343004e88223c7 Ludo’.
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-17365: Nix per-user profile directory hijack Michael Orlitzky (Oct 09)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Graham Christensen (Oct 09)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Michael Orlitzky (Oct 10)
- CVE-2019-18192: Insecure permissions on Guix profile directory Ludovic Courtès (Oct 17)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Graham Christensen (Oct 09)