--- Begin Message ---
Subject: |
Per-user profile directory hijack (CVE-2019-17365 for Nix) |
Date: |
Mon, 14 Oct 2019 09:47:35 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello Guix,
That the per-user profile directory is world-writable allows an attacker
to hijack code run by other users, as has been reported in the context
of Nix:
https://www.openwall.com/lists/oss-security/2019/10/09/4
I believe it applies to Guix as well.
Nix people are tracking it here:
https://github.com/NixOS/nix/pull/3134
https://github.com/NixOS/nix/issues/509
Looks like we’ll need to do something similar to:
<https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>.
Thoughts?
Thanks,
Ludo’.
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) |
Date: |
Wed, 16 Oct 2019 23:41:41 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed
by an updated of the ‘guix’ package in
e63b31443b29b7793e73ab04798220edc6e564fc.
Thanks everyone!
Ludo’.
--- End Message ---