• Four vulnerabilities in Guix

    From LWN.net@1337:1/100 to All on Friday, July 03, 2026 17:00:07
    Four vulnerabilities in Guix

    Date:
    Fri, 03 Jul 2026 15:54:01 +0000

    Description:
    The GNU Guix project has announced three vulnerabilities in the guix substitute utility as well
    as a fourth that affects the guix pull and guix
    time-machine commands. The impact of the vulnerabilities ranges from remote-privilege
    escalation to local disclosure of sensitive files. The remote exploitation of guix substitute only requires that the
    vulnerable system attempt to download a binary substitute. Any
    configured substitute server, including ones discovered using guix-daemon 's --discover option, can exploit this, and so can a
    man-in-the-middle (MITM), regardless of whether https is used in the
    substitute server urls. The local exploitation of guix substitute only requires
    the ability to connect to guix-daemon's socket, which by default any
    user can do. Separately, another security issue (CVE ID pending) was identified
    in guix pull and guix time-machine , which enables anyone who can
    control the channels file used by these commands to cause a file to be
    created or overwritten wherever the user running the command in
    question has permission to create them. The project is recommending that all users upgrade guix and guix-daemon immediately. See the announcement for instructions, how to test for the vulnerabilities, the disclosure
    timeline, and more.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1081199/


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)