Upgrade now! (Build user takeover vulnerability)

[John Kehayias <john.kehayias@protonmail.com>]

Hi Guix-ers,

(Sent to several lists for wider coverage; apologies if you receive this message multiple times.)

A vulnerability in the guix-daemon has been found which allows a local user to gain privileges of a build user. Everyone is strongly urged to upgrade immediately. This has been patched in two recent commits:

<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558224140dab669cabdaebabff18504a066c48d4>

<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab3c4c1e43ebb637551223791db0ea3519986e1>

and described in detail, with a proof of concept which you can use to check your system as well as upgrade instructions, in this blog post:

<https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/>

Upon a guix pull you should also see a news entry with information about this issue. Please also see the above blog post for all the details, especially on how to make sure you have upgraded the guix-daemon to mitigate this exploit. For users of Guix System, the short of it is to pull, reconfigure, and restart guix-daemon. While for Guix on a foreign distro, you will need to use sudo --login guix pull and restart the guix-daemon service, for instance with systemctl if systemd is used. Again, please see the above blog post and documentation <https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html> for further details.

Enormous thanks to Caleb Ristvedt for bringing this to our attention, fixing the issue, and preparing patches, news entry, and blog post. Thanks also to Ludovic Courtès for helping and shepherding this through in a timely manner.

As a reminder, please report any security issues or concerns to the Guix Security Team <https://guix.gnu.org/en/security/> via guix-security@gnu.org.

Thank you all for using Guix and please upgrade now!

John, on behalf of Guix Security