bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

From: Ludovic Courtès
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Mon, 14 Oct 2019 09:47:35 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Hello Guix,

That the per-user profile directory is world-writable allows an attacker
to hijack code run by other users, as has been reported in the context
of Nix:

  https://www.openwall.com/lists/oss-security/2019/10/09/4

I believe it applies to Guix as well.

Nix people are tracking it here:

   https://github.com/NixOS/nix/pull/3134
   https://github.com/NixOS/nix/issues/509

Looks like we’ll need to do something similar to:
<https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>.

Thoughts?

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]