Your message dated Mon, 22 Apr 2024 20:34:14 +0000
with message-id <e1rz0mg-0061ed...@fasolo.debian.org>
and subject line Bug#1066113: fixed in guix 1.4.0-3+deb12u1
has caused the Debian Bug report #1066113,
regarding guix: CVE-2024-27297
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1066113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.2.0-4+deb11u1
Hi,
Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.
The following vulnerability was published for guix.
CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
https://www.cve.org/CVERecord?id=CVE-2024-27297
[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: guix
Source-Version: 1.4.0-3+deb12u1
Done: Vagrant Cascadian <vagr...@debian.org>
We believe that the bug you reported is fixed in the latest version of
guix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagr...@debian.org> (supplier of updated guix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Apr 2024 14:23:27 -0700
Source: guix
Architecture: source
Version: 1.4.0-3+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Vagrant Cascadian <vagr...@debian.org>
Changed-By: Vagrant Cascadian <vagr...@debian.org>
Closes: 1066113
Changes:
guix (1.4.0-3+deb12u1) bookworm-security; urgency=medium
.
* debian/patches: guix-daemon: Protect against file descriptor escape
when building fixed-output derivations (CVE-2024-27297).
(Closes: #1066113)
Checksums-Sha1:
1575901846c9f03abed91fff6281294f998f07a7 1893 guix_1.4.0-3+deb12u1.dsc
0d36f7907db883b775b2e4bf5a527ba59ee6778a 40563275 guix_1.4.0.orig.tar.gz
8e6b53fee0cc17a0c302432a89386017850bbbdf 833 guix_1.4.0.orig.tar.gz.asc
7c538b9dc13c6b54a2e795e02c84fe44872b0a2c 59800
guix_1.4.0-3+deb12u1.debian.tar.xz
24efc6808dc59cea517e45fae50713837fe2b044 11054
guix_1.4.0-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
a4419520bb5829aa2ce25ee4e809e154d84ed98456b6b7c5d97f8a44b6499156 1893
guix_1.4.0-3+deb12u1.dsc
43c769cbf632ef05449ac1fa48c1ba152c33494c6abc7e47137bba7b2149f8a4 40563275
guix_1.4.0.orig.tar.gz
b30c7e63048c3fe4e72d6146f107e55e27d1ea1eb5bc7fd8818f20a1a32c8e10 833
guix_1.4.0.orig.tar.gz.asc
e716f6f46e3185404a247f125e3add8b44252d337df87063f95f08eb95032bee 59800
guix_1.4.0-3+deb12u1.debian.tar.xz
43e5f9fe33c0142c2fa8a084258192224c2ef7d9262988e0d95a03f1c5b87bd6 11054
guix_1.4.0-3+deb12u1_amd64.buildinfo
Files:
2f2cfa48595274d40bfb4d3739b1c69f 1893 admin optional guix_1.4.0-3+deb12u1.dsc
740b0afa9a9eac622ea5fecc06737429 40563275 admin optional guix_1.4.0.orig.tar.gz
8c6f80b9dfbb77bb656b3e0f5187baa7 833 admin optional guix_1.4.0.orig.tar.gz.asc
846aab762bf3898373cabf643096089d 59800 admin optional
guix_1.4.0-3+deb12u1.debian.tar.xz
f9f74f69d2f560722f74348a028873c5 11054 admin optional
guix_1.4.0-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZiBOMhMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaqGSAA/RcoMfE+qkYE7d3Wh+YE3zE2RatXebkB
WvE+GdL5intnAP9nIyOTtU6BCXBsKecybQYsYxAFQeg3XXYF1LczsOITCw==
=jr55
-----END PGP SIGNATURE-----
pgpovOBoSMQon.pgp
Description: PGP signature
--- End Message ---
