Oh no, do we have a Texi injection vulnerability in Guix? :)

What I understand is that an error occurs when trying to show a hint to the user (display-hint in the backtrace). This calls texi->plain-text which transforms texinfo markup to text for displaying on a terminal. With your user name, it tries to read something like:

/home/~a/.guix-profile/etc/profile

Which is expanded into:

/home/user@foo.bar/.guix-profile/etc/profile

And the @ is understood as texinfo markup but there is no @foo command in texinfo. How do we fix that though?

Le 23 novembre 2022 13:46:30 GMT+01:00, pofman@free.fr a écrit :
Hello!

I use the guix package manager on ubuntu 22.04.

I have successfully installed fdm and mu packages but I got an error when installing emacs package.

My user is a domain user, the domain name is 'foo.bar' and then sssd use a home directory like '/home/user@foo.bar' which seems to cause that error.

Installation log:
$ LANG=C guix install emacs
The following package will be installed:
   emacs 28.2

hint: Backtrace:
          17 (primitive-load "/home/user@foo.bar/.config/guix?")
In guix/ui.scm:
   2275:7 16 (run-guix . _)
  2238:10 15 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1752:10 14 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
    835:3 13 (_)
    815:4 12 (call-with-status-report _ _)
In guix/store.scm:
   1300:8 11 (call-with-build-handler _ _)
   1300:8 10 (call-with-build-handler #<procedure 7f83d177e480 at g?> ?)
In guix/build/syscalls.scm:
   1435:3  9 (_)
   1402:4  8 (call-with-file-lock/no-wait _ _ _)
In guix/scripts/package.scm:
    325:7  7 (build-and-use-profile _ "/var/guix/profiles/per-user/?" ?)
In guix/ui.scm:
    312:5  6 (display-hint _ _)
  1448:24  5 (texi->plain-text _)
In texinfo.scm:
  1132:22  4 (parse _)
   980:31  3 (loop #<input: string 7f83bec67a10> (*fragment*) _ _ _)
   967:36  2 (loop #<input: string 7f83bec67a10> #f #<procedure ide?> ?)
     92:2  1 (command-spec _)
In ice-9/boot-9.scm:
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Throw to key `parser-error' with args `(#f "Unknown command" foo)'.