GNU bug report logs - #70022
[PATCH 0/2] Binary Installation: Add more distros.

Previous Next

Package: guix-patches;

Reported by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>

Date: Tue, 26 Mar 2024 23:47:02 UTC

Severity: normal

Tags: patch

Done: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Cc: 70022 <at> debbugs.gnu.org
Subject: [bug#70022] [PATCH 0/2] Binary Installation: Add more distros.
Date: Wed, 27 Mar 2024 17:09:51 +0100

Hi Denis.  This is in principle a great improvement, however note that
recently (4th March or so) a local privilege escalation vulnerability in
guix-daemon was discovered
<https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/>
and many distros have not fixed it yet, such as AUR and therefore your
Parabola pcr package or Debian’s long-term releases, which Debian’s guix
packager complained about
<https://security-tracker.debian.org/tracker/CVE-2024-27297>.

Perhaps we should think about how and where we can also instruct users
to upgrade their daemon in a timely manner.  This will be different for
guix packages (that configure a vulnerable daemon systemd service) and
for guix-install (where it is enough to follow the guix pull news file,
if the admin actually uses guix pull themself and can see the news).

Otherwise LGTM.

Regards,
Florian

This bug report was last modified 1 year and 38 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #70022 [PATCH 0/2] Binary Installation: Add more distros.

GNU bug report logs - #70022
[PATCH 0/2] Binary Installation: Add more distros.