From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Thu, 17 Oct 2019 21:01:39 +0200 Message-ID: <878spjnqlo.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:36678) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iLB2B-0004yM-Oi for bug-guix@gnu.org; Thu, 17 Oct 2019 15:02:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iLB2A-0003AY-LJ for bug-guix@gnu.org; Thu, 17 Oct 2019 15:02:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40113) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iLB2A-0003AU-Hu for bug-guix@gnu.org; Thu, 17 Oct 2019 15:02:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iLB2A-0005CP-3B for bug-guix@gnu.org; Thu, 17 Oct 2019 15:02:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87blufny52.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 37744@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > See https://issues.guix.gnu.org/issue/37744 Will this be automatically linkified? > This issue was initially [reported by Michael Orlitzky for > Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4) > ([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=3DCVE-2019-1736= 5)). > > # Fix > > The [fix](https://issues.guix.gnu.org/issue/37744) consists in=20 > letting From=20the Oxford Dictionaries: 1 (consist of) be composed or made up of (consist in) have as an essential feature TIL. > # Upgrading > > On multi-user systems, we recommend upgrading the daemon now. > > To upgrade the daemon on a =E2=80=9Cforeign distro=E2=80=9D, run somethin= g along=20 > these Imperialist nitpick: why list the foreigners first? :-) Anti-imperialist nitpick: reversing the two allows using =E2=80=98other=20 distributions=E2=80=99 instead of =E2=80=98foreign=E2=80=99 which always so= unds a bit=20 dismissive to my ears. End nitpick. Thank you for taking care of this from start to finish, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2oupMACgkQ2Imw8BjF STwaxhAAjusdMbOJkvFyVQRbL9WRxA17CLUOQ0zuvtTqhnv4kB7Osfw75HD2qDa4 ViAGCUAma4Z6D+i585YFKB98dI8Zx22wgJnLDb+ZT29mDsxRzEKOESx3aPHidUY7 Lq2aV26cDPbWMDdSkKs8/bgHSv3q1TnNmYSYfx82OPwglNqP9c1BXMQavHOvod1M haS7/PJJqBn284m/RI46p4KvqvxWWQMqs5gPSOedYTE1pZ73xqSMmP+daxrT4Oy+ 8mdQvZyvk020ANdu5o/6cKLpqyCei08CriXOKm4IaZeIvYtpVmQ/mzfqNUetEvZD SAtEhLFkMMO7dqsWI2AZPj7ficQfiy9MpX8e2SiIiaAJoOdHs4Jo2BgEnCUhufMY CIAL9mNtCSjMUjBvWWwb2aaTrg9EargEeXcNjKevgJhm0c3kQ8cNgLlEjmukkZPk 07GQxuvqNO9aSNUY2Ulro08zU1+vzFDtTAGk6t+AgiYXYUQc0jV3BLq8n0Eln7Xw U4X7tdHQ8VRPIkZ7qnutM5UxOSqizU80KPAzzldaFJjA9wsWpZPFrx7bmuEzepuc znR4hRXX9cFcoouVrucVT0FsVWmCFLUfT9U4fbAg6E2a1xBPiyobUMFU7hA9Yc+x Z+Us7hX/7hWRIrSn3gT/xnu+EyISHrlnwsUOKrawLZgUWg2C6Nk= =XkaC -----END PGP SIGNATURE----- --=-=-=--