[debbugs-tracker] bug#37744: closed (Per-user profile directory hijack (CVE-2019-17365 for Nix))

[GNU bug Tracking System]

Your message dated Wed, 16 Oct 2019 23:41:41 +0200
with message-id <address@hidden>
and subject line Re: bug#37744: Per-user profile directory hijack 
(CVE-2019-17365 for Nix)
has caused the debbugs.gnu.org bug report #37744,
regarding Per-user profile directory hijack (CVE-2019-17365 for Nix)
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden.)


-- 
37744: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37744
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> Per-user profile directory hijack (CVE-2019-17365 for Nix)
>
>
>
>
> Date: 
>
> Mon, 14 Oct 2019 09:47:35 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
>
>
>
>
> Hello Guix,
>
> That the per-user profile directory is world-writable allows an attacker
> to hijack code run by other users, as has been reported in the context
> of Nix:
>
>   https://www.openwall.com/lists/oss-security/2019/10/09/4
>
> I believe it applies to Guix as well.
>
> Nix people are tracking it here:
>
>    https://github.com/NixOS/nix/pull/3134
>    https://github.com/NixOS/nix/issues/509
>
> Looks like we’ll need to do something similar to:
> <https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>.
>
> Thoughts?
>
> Thanks,
> Ludo’.
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
>
>
>
>
> Date: 
>
> Wed, 16 Oct 2019 23:41:41 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
>
>
>
>
> I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed
> by an updated of the ‘guix’ package in
> e63b31443b29b7793e73ab04798220edc6e564fc.
>
> Thanks everyone!
>
> Ludo’.
>
>
> --- End Message ---