Marius Bakke writes: > Leo Famulari writes: > >> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote: >>> Kei Kebreau writes: >>> >>> > Reviewers, how does this patch look to you? >>> >>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed >>> setuid root, which is not the case on guix. >>> >>> FWIW Debian do not carry this patch, but have fixed the CVE according to >>> the changelog. So I doubt this patch is necessary. >> >> There have been a couple security-related bugs publicized recently that >> are only dangerous when the software is installed setuid root. >> >> Although we don't do that by default, system administrators can do it on >> GuixSD. I also think that Guix is valuable as a distribution mechanism >> of free source code, and we should fix bugs for that use case. >> >> So, I was thinking that we should fix these bugs unless they require >> grafting, and then we should fix them in core-updates. >> >> WDYT? > > That does make a lot of sense. Reading up on execl(3), it looks like > this patch does the right thing and can't hurt even when not setuid. > > Mind=changed! :P Are we all agreed on pushing this change?