Bug#1066113: marked as done (guix: CVE-2024-27297)
Your message dated Mon, 22 Apr 2024 21:02:37 + with message-id and subject line Bug#1066113: fixed in guix 1.2.0-4+deb11u2 has caused the Debian Bug report #1066113, regarding guix: CVE-2024-27297 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1066113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: guix Version: 1.4.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.2.0-4+deb11u1 Hi, Vagrant, knowing that you are awaere already, but filling for having a Debian bug tracking reference. The following vulnerability was published for guix. CVE-2024-27297[0]: | Nix is a package manager for Linux and other Unix systems. A fixed- | output derivations on Linux can send file descriptors to files in | the Nix store to another program running on the host (or another | fixed-output derivation) via Unix domain sockets in the abstract | namespace. This allows to modify the output of the derivation, after | Nix has registered the path as "valid" and immutable in the Nix | database. In particular, this allows the output of fixed-output | derivations to be modified from their expected content. This issue | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. | Users are advised to upgrade. There are no known workarounds for | this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 https://www.cve.org/CVERecord?id=CVE-2024-27297 [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: guix Source-Version: 1.2.0-4+deb11u2 Done: Vagrant Cascadian We believe that the bug you reported is fixed in the latest version of guix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1066...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian (supplier of updated guix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 17 Apr 2024 15:39:38 -0700 Source: guix Architecture: source Version: 1.2.0-4+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Vagrant Cascadian Changed-By: Vagrant Cascadian Closes: 1066113 Changes: guix (1.2.0-4+deb11u2) bullseye-security; urgency=medium . * debian/patches: guix-daemon: Protect against file descriptor escape when building fixed-output derivations (CVE-2024-27297). (Closes: #1066113) Checksums-Sha1: 28b4569f128da111e30db1dd880c7553a157522a 1810 guix_1.2.0-4+deb11u2.dsc 9245bd579c15a089fecb4fde0d9e2fc43af4e0fa 30564986 guix_1.2.0.orig.tar.gz e34806e9aef744309a6901ee70299b96a25f455c 833 guix_1.2.0.orig.tar.gz.asc 881577cdea7ff9de3e8107faf37e8753e2fac35f 40996 guix_1.2.0-4+deb11u2.debian.tar.xz 057d4000fdbf4bf010fc1d60c39ba1a90caca163 10498 guix_1.2.0-4+deb11u2_amd64.buildinfo Checksums-Sha256: 365f2076c2f421edc202522f146b79df4b3a3797a5eb25790ef9222c6f00458e 1810 guix_1.2.0-4+deb11u2.dsc 5ecdf7ced25b1fb0ca7c57e794b7b60c8a7adcb15261dec2af37925c838c6d74 30564986 guix_1.2.0.orig.tar.gz e278e3aba3fe9acd35aa6586933d940f0c847ccfb6d1370cb5c4f754732d2fb6 833 guix_1.2.0.orig.tar.gz.asc 05e9b181607c3e07a65f43223a2c600651ec8b32fbe6faf0db895d339576e158 40996 guix_1.2.0-4+deb11u2.debian.tar.xz 14ecbba7b1bf646546d99ec53e727e3664c10c21d43d34f3ad068d1647bcedb1 10498 guix_1.2.0-4+deb11u2_amd64.buildinfo Files: e685bc2cbdcb0a9172008a20ef634536 1810 admin optional guix_1.2.0-4+deb11u2.dsc f11073e551eaf9ae7119cd90671c0d90 30564986 admin optional guix_1.2.0.orig.tar.gz bbed756aaf1d8303a14cc9b5fdc05066 833 admin optional guix_1.2.0.orig.tar.gz.asc d09141d2b754aff550b959148df45994 40996 admin optional guix_1.2.0-4+deb11u2.debian.tar.xz fbe95bfe922c77ccbace88ff1eb1b089 10498 admin optional
Bug#1066113: marked as done (guix: CVE-2024-27297)
Your message dated Mon, 22 Apr 2024 20:34:14 + with message-id and subject line Bug#1066113: fixed in guix 1.4.0-3+deb12u1 has caused the Debian Bug report #1066113, regarding guix: CVE-2024-27297 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1066113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: guix Version: 1.4.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.2.0-4+deb11u1 Hi, Vagrant, knowing that you are awaere already, but filling for having a Debian bug tracking reference. The following vulnerability was published for guix. CVE-2024-27297[0]: | Nix is a package manager for Linux and other Unix systems. A fixed- | output derivations on Linux can send file descriptors to files in | the Nix store to another program running on the host (or another | fixed-output derivation) via Unix domain sockets in the abstract | namespace. This allows to modify the output of the derivation, after | Nix has registered the path as "valid" and immutable in the Nix | database. In particular, this allows the output of fixed-output | derivations to be modified from their expected content. This issue | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. | Users are advised to upgrade. There are no known workarounds for | this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 https://www.cve.org/CVERecord?id=CVE-2024-27297 [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: guix Source-Version: 1.4.0-3+deb12u1 Done: Vagrant Cascadian We believe that the bug you reported is fixed in the latest version of guix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1066...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian (supplier of updated guix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 17 Apr 2024 14:23:27 -0700 Source: guix Architecture: source Version: 1.4.0-3+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Vagrant Cascadian Changed-By: Vagrant Cascadian Closes: 1066113 Changes: guix (1.4.0-3+deb12u1) bookworm-security; urgency=medium . * debian/patches: guix-daemon: Protect against file descriptor escape when building fixed-output derivations (CVE-2024-27297). (Closes: #1066113) Checksums-Sha1: 1575901846c9f03abed91fff6281294f998f07a7 1893 guix_1.4.0-3+deb12u1.dsc 0d36f7907db883b775b2e4bf5a527ba59ee6778a 40563275 guix_1.4.0.orig.tar.gz 8e6b53fee0cc17a0c302432a89386017850bbbdf 833 guix_1.4.0.orig.tar.gz.asc 7c538b9dc13c6b54a2e795e02c84fe44872b0a2c 59800 guix_1.4.0-3+deb12u1.debian.tar.xz 24efc6808dc59cea517e45fae50713837fe2b044 11054 guix_1.4.0-3+deb12u1_amd64.buildinfo Checksums-Sha256: a4419520bb5829aa2ce25ee4e809e154d84ed98456b6b7c5d97f8a44b6499156 1893 guix_1.4.0-3+deb12u1.dsc 43c769cbf632ef05449ac1fa48c1ba152c33494c6abc7e47137bba7b2149f8a4 40563275 guix_1.4.0.orig.tar.gz b30c7e63048c3fe4e72d6146f107e55e27d1ea1eb5bc7fd8818f20a1a32c8e10 833 guix_1.4.0.orig.tar.gz.asc e716f6f46e3185404a247f125e3add8b44252d337df87063f95f08eb95032bee 59800 guix_1.4.0-3+deb12u1.debian.tar.xz 43e5f9fe33c0142c2fa8a084258192224c2ef7d9262988e0d95a03f1c5b87bd6 11054 guix_1.4.0-3+deb12u1_amd64.buildinfo Files: 2f2cfa48595274d40bfb4d3739b1c69f 1893 admin optional guix_1.4.0-3+deb12u1.dsc 740b0afa9a9eac622ea5fecc06737429 40563275 admin optional guix_1.4.0.orig.tar.gz 8c6f80b9dfbb77bb656b3e0f5187baa7 833 admin optional guix_1.4.0.orig.tar.gz.asc 846aab762bf3898373cabf643096089d 59800 admin optional guix_1.4.0-3+deb12u1.debian.tar.xz f9f74f69d2f560722f74348a028873c5 11054 admin optional
