Source: guix Version: 1.4.0-9 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://codeberg.org/guix/guix/pulls/2419 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for guix. CVE-2025-59378[0]: | In guix-daemon in GNU Guix before 1618ca7, a content-addressed- | mirrors file can be written to create a setuid program that allows a | regular user to gain the privileges of the build user that runs it | (even after the build has ended). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59378 https://www.cve.org/CVERecord?id=CVE-2025-59378 [1] https://codeberg.org/guix/guix/pulls/2419 [2] https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
