GNU bug report logs - #37744
Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2019 07:48:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37744 <at> debbugs.gnu.org
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Thu, 17 Oct 2019 22:25:58 +0200

Hallo!

Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:

> Ludovic Courtès 写道:
>> See https://issues.guix.gnu.org/issue/37744
>
> Will this be automatically linkified?

Yes, I think so.

>> # Upgrading
>>
>> On multi-user systems, we recommend upgrading the daemon now.
>>
>> To upgrade the daemon on a “foreign distro”, run something along
>> these
>
> Imperialist nitpick: why list the foreigners first?  :-)
>
> Anti-imperialist nitpick: reversing the two allows using ‘other
> distributions’ instead of ‘foreign’ which always sounds a bit
> dismissive to my ears.
>
> End nitpick.

That makes sense to me; I’m not satisfied with “foreign” either (I think
the inspiration came from FFIs, but still).  Maybe “fellow distros”?
:-)

I’ve received the CVE ID (CVE-2019-18192) just now so I’ve added it to
the article and pushed it.

It should show up on line shortly.

Thank you for your feedback!

Ludo’.
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.