Your message dated Sat, 16 Mar 2024 01:03:52 +0000
with message-id <[email protected]>
and subject line Bug#1066113: fixed in guix 1.4.0-6
has caused the Debian Bug report #1066113,
regarding guix: CVE-2024-27297
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1066113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.2.0-4+deb11u1
Hi,
Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.
The following vulnerability was published for guix.
CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
https://www.cve.org/CVERecord?id=CVE-2024-27297
[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: guix
Source-Version: 1.4.0-6
Done: Vagrant Cascadian <[email protected]>
We believe that the bug you reported is fixed in the latest version of
guix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <[email protected]> (supplier of updated guix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Mar 2024 15:06:42 -0700
Source: guix
Architecture: source
Version: 1.4.0-6
Distribution: unstable
Urgency: medium
Maintainer: Vagrant Cascadian <[email protected]>
Changed-By: Vagrant Cascadian <[email protected]>
Closes: 1041398 1044595 1066113
Changes:
guix (1.4.0-6) unstable; urgency=medium
.
* debian/patches: guix-daemon: Protect against file descriptor escape
when building fixed-output derivations (CVE-2024-27297).
(Closes: #1066113)
* debian/patches: Temporarily disable tests to workaround
https://bugs.debian.org/1064748
* debian/patches: systemd services: switch to "journal" for output and
error logging. (Closes: #1041398)
* debian/rules: Add dh_auto_clean override to remove cruft from the
build. (Closes: #1044595)
* debian/rules: Add build profile to enable parallel build.
Checksums-Sha1:
966721a9518b0bd912d482b018ec2814fc7e9efd 1874 guix_1.4.0-6.dsc
9a5248508f889c3d23985c8c922b732d7646f383 62748 guix_1.4.0-6.debian.tar.xz
6cf0f5b6aa411c3ab976d273eae19cb157ebbe8c 11279 guix_1.4.0-6_amd64.buildinfo
Checksums-Sha256:
f437ce38183067ad5ff09ba302e463dfac2273a7fc165d7eb4042c6fbc8040ae 1874
guix_1.4.0-6.dsc
d54696b076cbcd4a1cb58c2671be044b212643d4dbd689acba8687b058ec6f59 62748
guix_1.4.0-6.debian.tar.xz
7cd52ec33940be968db06185b9983304a165d92ffbee0c60559982ebb879156a 11279
guix_1.4.0-6_amd64.buildinfo
Files:
b8fe1ea63f646d7a044e787d51a08776 1874 admin optional guix_1.4.0-6.dsc
fd80ef6cde925d26b74a14386665174c 62748 admin optional
guix_1.4.0-6.debian.tar.xz
fd5663cd3430f9b8b896fa5aac714971 11279 admin optional
guix_1.4.0-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZfTMTRMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaqDmYBAPFQ5GxKTvl+rXAw26O0UMk3I3JQTULn
0An5GilJJ24cAP9Ulv665buZKShzXxJcRzU8/VT9ru64cDdAJIKdLHPzAA==
=yrme
-----END PGP SIGNATURE-----
pgppDnat0KkWC.pgp
Description: PGP signature
--- End Message ---
