GNU Guix Package Manager Hit by Four Security Flaws

GNU Guix Package Manager Hit by Four Security Flaws

GNU Guix, the GNU Project’s functional package manager, has disclosed four security vulnerabilities affecting some of its core package-management commands.

According to the team, the newly disclosed issues affect guix substitute, guix pull, and guix time-machine, with CVE identifiers still pending at the time of writing.

The primary concern involves guix substitute, a utility used by guix-daemon to download pre-built binary substitutes. Three of the four vulnerabilities affect this substitute mechanism. The impact is significant because exploitation may be possible remotely if a vulnerable system attempts to download a binary substitute.

According to the advisory summary, this could be abused by a configured substitute server, including one discovered through guix-daemon’s --discover option, or by a man-in-the-middle attacker, regardless of whether HTTPS is used for the substitute server URLs.

Local exploitation is also possible in some cases. The requirement there is access to the guix-daemon socket, which Guix makes available to local users by default.

The fourth vulnerability affects guix pull and guix time-machine. These commands are used to update Guix itself and reproduce or switch to specific Guix revisions. The issue is tied to channel files and may allow an attacker controlling such a file to create or overwrite files where the affected user has write permissions.

Guix users are strongly advised to update both guix and guix-daemon as soon as possible. Since guix-daemon is the system service involved in package builds and substitute handling, updating only the user-facing command may not be sufficient on affected installations.

At the moment, the vulnerabilities do not appear to have assigned CVE numbers, so users and administrators should refer to the official Guix security advisory for the latest status and mitigation details.

For additional details, see the official announcement.

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *