GNU bug report logs - #37744
Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2019 07:48:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#37744: closed (Re: bug#37744: Per-user profile directory
 hijack (CVE-2019-17365 for Nix))
Date: Wed, 16 Oct 2019 21:42:04 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 37744 <at> debbugs.gnu.org.

-- 
37744: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37744
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37744-done <at> debbugs.gnu.org
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
Date: Wed, 16 Oct 2019 23:41:41 +0200

I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed
by an updated of the ‘guix’ package in
e63b31443b29b7793e73ab04798220edc6e564fc.

Thanks everyone!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Mon, 14 Oct 2019 09:47:35 +0200

Hello Guix,

That the per-user profile directory is world-writable allows an attacker
to hijack code run by other users, as has been reported in the context
of Nix:

  https://www.openwall.com/lists/oss-security/2019/10/09/4

I believe it applies to Guix as well.

Nix people are tracking it here:

   https://github.com/NixOS/nix/pull/3134
   https://github.com/NixOS/nix/issues/509

Looks like we’ll need to do something similar to:
<https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>.

Thoughts?

Thanks,
Ludo’.
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.