From fbdf9d4ba99115c3cd0ef38919c0c67976ee76aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sat, 21 Jun 2025 10:49:28 +0200 Subject: [PATCH] =?UTF-8?q?news:=20Add=20entry=20for=20=E2=80=98guix-daemo?= =?UTF-8?q?n=E2=80=99=20vulnerability=20fix.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * etc/news.scm: Add entry. Change-Id: I7f143c268070a6fbcc1a343374ee4443add60bc2 Signed-off-by: John Kehayias --- etc/news.scm | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index e1906823825..7901aab390a 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -38,6 +38,39 @@ (channel-news (version 0) + + (entry (commit "30a5d140aa5a789a362749d057754783fea83dde") + (title + (en "@command{guix-daemon} privilege escalation vulnerabilities +fixed (CVE-2025-46415, CVE-2025-46416)")) + (body + (en "Vulnerabilities in the build daemon, @command{guix-daemon}, were +identified and fixed. One vulnerability would allow any user on the system +that can interact with the daemon to potentially corrupt new packages built +locally (CVE-2025-46416). With the other vulnerability (CVE-2025-46415), if +@command{guix-daemon} is running as root, it is also possible to escalate to +root privileges. CVE-2025-52991, CVE-2025-52992, and CVE-2025-52993 were +identified as additional opportunities that could have prevented the proposed +exploits. + +Everyone is strongly advised to upgrade @command{guix-daemon}. Guix System +users can do this with commands along these lines: + +@example +sudo guix system reconfigure /run/current-system/configuration.scm +sudo herd restart guix-daemon +@end example + +If you are using Guix on another distro, run @command{info \"(guix) Upgrading +Guix\"} or visit +@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to +learn how to upgrade Guix. + +The root cause of the vulnerability was the ability of a @dfn{fixed-output +derivation} build process to smuggle a file descriptor to the store or to a +setuid program to an outside process @i{via} an abstract Unix-domain socket. +See @uref{https://codeberg.org/guix/guix/pulls/788} for more information."))) + (entry (commit "78d4b1e52c731502b29288ab6975bd9efa91392a") (title (en "New services for /etc/profile.d and /etc/bashrc.d")