Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

Hello,

We have become aware of a security issue for Guix on multi-user systems
that we have just fixed (CVE-2019-18192).  Anyone running Guix on a
multi-user system is encouraged to upgrade ‘guix-daemon’—see below for
instructions.

More information is available on the Guix blog:

  https://guix.gnu.org/blog/2019/insecure-permissions-on-profile-directory-cve-2019-18192/


Summary
~~~~~~~

The default user profile, ~/.guix-profile, points to
/var/guix/profiles/per-user/$USER.  Until now,
/var/guix/profiles/per-user was world-writable, allowing the ‘guix’
command to create the $USER sub-directory.

On a multi-user system, this allowed a malicious user to create and
populate that $USER sub-directory for another user that had not yet
logged in.  Since /var/…/$USER is in $PATH, the target user could end up
running attacker-provided code.


Upgrading
~~~~~~~~~

To upgrade the daemon On Guix System, run:

  guix pull
  sudo guix system reconfigure /etc/config.scm
  sudo herd restart guix-daemon

On other distros, run something along these lines:

  sudo guix pull
  sudo systemctl restart guix-daemon.service

Please report any issues you may have to guix-devel@gnu.org.

Ludo’, on behalf of the Guix team.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]