news: Add entry for the ‘content-addressed-mirrors’ security fix.

* etc/news.scm: Add entry. Change-Id: Ia96a6f80d6ec557e222f2b5ee17e7c79c0eb3cbf
2025-10-02 02:15:12 +00:00 · 2025-09-01 17:29:40 +02:00 · 2025-09-01 17:29:40 +02:00 · db6361bc2b
commit db6361bc2b
parent 1618ca7aa2
1 changed files with 28 additions and 0 deletions
--- a/etc/news.scm
+++ b/etc/news.scm
@ -40,6 +40,34 @@
 (channel-news
 (version 0)

+ (entry (commit "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45")
+        (title
+         (en "New @command{guix-daemon} privilege escalation vulnerability
+fixed"))
+        (body
+         (en "A new vulnerability was identified and fixed in the build
+daemon, @command{guix-daemon} (CVE ID assignment pending).  Everyone is
+strongly advised to upgrade @command{guix-daemon}.  Guix System users can do
+this with commands along these lines:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+If you are using Guix on another distro, run @command{info \"(guix) Upgrading
+Guix\"} or visit
+@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to
+learn how to upgrade Guix.
+
+This vulnerability lies in the @code{builtin:download} derivation builder:
+anyone with access to the daemon can craft a @code{content-addressed-mirrors}
+Scheme procedure that the daemon will execute as a build user (or as the
+daemon user, when running @command{guix-daemon} unprivileged).  An attacker
+could use this to gain build user privileges and thereafter compromise builds
+performed on the system.  See @uref{https://codeberg.org/guix/guix/pulls/2419}
+for more information.")))
+
 (entry (commit "3e45fc0f37d027516ac3d112ca7768d698eeac74")
        (title
         (en "All Rust applications repackaged")