diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-06-21 10:49:28 +0200 |
|---|---|---|
| committer | John Kehayias <john.kehayias@protonmail.com> | 2025-06-24 11:53:31 -0400 |
| commit | fbdf9d4ba99115c3cd0ef38919c0c67976ee76aa (patch) | |
| tree | a0fb688e82905ff9880bc4a2117768108ad5861c | |
| parent | 30a5d140aa5a789a362749d057754783fea83dde (diff) | |
news: Add entry for ‘guix-daemon’ vulnerability fix.
* etc/news.scm: Add entry.
Change-Id: I7f143c268070a6fbcc1a343374ee4443add60bc2
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
| -rw-r--r-- | etc/news.scm | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/etc/news.scm b/etc/news.scm index e190682382..7901aab390 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -38,6 +38,39 @@ (channel-news (version 0) + + (entry (commit "30a5d140aa5a789a362749d057754783fea83dde") + (title + (en "@command{guix-daemon} privilege escalation vulnerabilities +fixed (CVE-2025-46415, CVE-2025-46416)")) + (body + (en "Vulnerabilities in the build daemon, @command{guix-daemon}, were +identified and fixed. One vulnerability would allow any user on the system +that can interact with the daemon to potentially corrupt new packages built +locally (CVE-2025-46416). With the other vulnerability (CVE-2025-46415), if +@command{guix-daemon} is running as root, it is also possible to escalate to +root privileges. CVE-2025-52991, CVE-2025-52992, and CVE-2025-52993 were +identified as additional opportunities that could have prevented the proposed +exploits. + +Everyone is strongly advised to upgrade @command{guix-daemon}. Guix System +users can do this with commands along these lines: + +@example +sudo guix system reconfigure /run/current-system/configuration.scm +sudo herd restart guix-daemon +@end example + +If you are using Guix on another distro, run @command{info \"(guix) Upgrading +Guix\"} or visit +@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to +learn how to upgrade Guix. + +The root cause of the vulnerability was the ability of a @dfn{fixed-output +derivation} build process to smuggle a file descriptor to the store or to a +setuid program to an outside process @i{via} an abstract Unix-domain socket. +See @uref{https://codeberg.org/guix/guix/pulls/788} for more information."))) + (entry (commit "78d4b1e52c731502b29288ab6975bd9efa91392a") (title (en "New services for /etc/profile.d and /etc/bashrc.d") |