guix_mirror_bot pushed a commit to branch master
in repository guix.
commit db6361bc2bf3416fde9fda6f51b49192f17022af
Author: Ludovic Courtès <l...@gnu.org>
AuthorDate: Mon Sep 1 17:29:40 2025 +0200
news: Add entry for the ‘content-addressed-mirrors’ security fix.
* etc/news.scm: Add entry.
Change-Id: Ia96a6f80d6ec557e222f2b5ee17e7c79c0eb3cbf
---
etc/news.scm | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/etc/news.scm b/etc/news.scm
index c7b292d617..0a367cc95d 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -40,6 +40,34 @@
(channel-news
(version 0)
+ (entry (commit "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45")
+ (title
+ (en "New @command{guix-daemon} privilege escalation vulnerability
+fixed"))
+ (body
+ (en "A new vulnerability was identified and fixed in the build
+daemon, @command{guix-daemon} (CVE ID assignment pending). Everyone is
+strongly advised to upgrade @command{guix-daemon}. Guix System users can do
+this with commands along these lines:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+If you are using Guix on another distro, run @command{info \"(guix) Upgrading
+Guix\"} or visit
+@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to
+learn how to upgrade Guix.
+
+This vulnerability lies in the @code{builtin:download} derivation builder:
+anyone with access to the daemon can craft a @code{content-addressed-mirrors}
+Scheme procedure that the daemon will execute as a build user (or as the
+daemon user, when running @command{guix-daemon} unprivileged). An attacker
+could use this to gain build user privileges and thereafter compromise builds
+performed on the system. See @uref{https://codeberg.org/guix/guix/pulls/2419}
+for more information.")))
+
(entry (commit "3e45fc0f37d027516ac3d112ca7768d698eeac74")
(title
(en "All Rust applications repackaged")
