GNU bug report logs -
#47584
Race condition in ‘copy-account-skeletons’: possible privilege escalation.
Previous Next
Reported by: Maxime Devos <maximedevos <at> telenet.be>
Date: Sat, 3 Apr 2021 16:10:02 UTC
Severity: important
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hi Maxime,
Maxime Devos <maximedevos <at> telenet.be> skribis:
> From 9672bd37bf50db1e0989d0b84035c4788422bd31 Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos <at> telenet.be>
> Date: Tue, 30 Mar 2021 22:36:14 +0200
> Subject: [PATCH 1/2] activation: Do not dereference symlinks in home directory
> creation.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Fixes <https://bugs.gnu.org/47584>.
>
> * gnu/build/activation.scm
> (copy-account-skeletons): Do not chown the home directory; leave this
> to 'activate-user-home'.
> (activate-user-home): Only chown the home directory after the account
> skeletons have been copied.
>
> Co-authored-by: Ludovic Courtès <ludo <at> gnu.org>.
Pushed:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2161820ebbbab62a5ce76c9101ebaec54dc61586
> From d071ee3aff5be1a6d7876d7411e70f7283dce1fb Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos <at> telenet.be>
> Date: Sat, 3 Apr 2021 12:19:10 +0200
> Subject: [PATCH 2/2] news: Add entry for user account activation
> vulnerability.
>
> TODO for guix committer: correct the commit id appropriately.
>
> * etc/news.scm: Add entry.
I tweaked it to (1) make it clear upfront that only Guix System is
affected, (2) to explicitly recommend an upgrade on Guix System, and (3)
to clarify when the attack can happen.
Thanks for finding the issue, for reporting it at guix-security, and for
preparing these patches!
Ludo’.
This bug report was last modified 260 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.