bug#37662: substitution failure of nss-certs

On 16/10/19 06:50, Arun Isaac wrote: > > Josh Holland writes: > >> Ludovic Courtès writes: >>> I suppose the error here is because you’re daemon is missing its UTF-8 >>> locales. >>> >>> This could be because you upgraded the daemon but did not upgrade the >>> ‘glibc-utf8-locales’ or

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

On Thu, Oct 17, 2019 at 04:58:19AM +0200, pelzflorian (Florian Pelz) wrote: > On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote: > > I committed this with minor changes (removed “sudo”, etc.), but the > > translation corresponds to the first version of the entry. Please feel > >

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote: > I committed this with minor changes (removed “sudo”, etc.), but the > translation corresponds to the first version of the entry. Please feel > free to commit changes directly to update it! > Oh no, it seems my message did not

bug#37662: substitution failure of nss-certs

On +2019-10-16 23:25:55 +0100, Josh Holland wrote: > > Hi Ludovic, > > Ludovic Courtès writes: > > > > cat /proc/PID/environ | xargs -0 echo > > > > LANG=en_GB.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/bin > INVOCATION_ID=1518aca749efa1593610e892c3a0 JOURNAL_STREAM=9:19872 >

bug#37662: substitution failure of nss-certs

Hi Ludovic, Ludovic Courtès writes: > > cat /proc/PID/environ | xargs -0 echo > LANG=en_GB.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/bin INVOCATION_ID=1518aca749efa1593610e892c3a0 JOURNAL_STREAM=9:19872 GUIX_LOCPATH=/var/guix/profiles/per-user/root/guix-profile/lib/locale

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed by an updated of the ‘guix’ package in e63b31443b29b7793e73ab04798220edc6e564fc. Thanks everyone! Ludo’.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Tobias Geerinckx-Rice skribis: > Let's try that again: Committed on your behalf, thanks! :-)

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Hi Florian, "pelzflorian (Florian Pelz)" skribis: >>From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001 > From: Florian Pelz > Date: Wed, 16 Oct 2019 16:37:27 +0200 > Subject: [PATCH] nls: Update 'de' translation of news entries. > > * etc/news.scm: Add new 'de' translation.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Julien Lepiller skribis: > pour le français (n'hésite pas à reprendre le texte si tu trouves à > redire :)) : Pushed on your behalf, merci ! :-) Ludo'.

bug#37662: substitution failure of nss-certs

Hi Josh, Josh Holland skribis: > Ludovic Courtès writes: >> I suppose the error here is because you’re daemon is missing its UTF-8 >> locales. >> >> This could be because you upgraded the daemon but did not upgrade the >> ‘glibc-utf8-locales’ or ‘glibc-locales’ you installed as root, no? > >

bug#37739: System install issue: 'You have a memory leak'

Hi Seswu, "Seswu M. Fafnan" skribis: > Late in the evening, with help from leoprikler at irc #guix, a workaround was > found; going manual, which had until then been too overwhelming for me to > face. > I just wrote a bit on that as extra information to the bug report, but will > quote it

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Ludovic Courtès skribis: > In addition to the news entry that ‘guix pull’ will display, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? I went ahead and asked for a CVE ID via . Ludo’.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Le Wed, 16 Oct 2019 19:05:44 +0200, Ludovic Courtès a écrit : > Hi! > > Thanks for your feedback Tobias, Florian, and Julien! > > Taking that into account, I propose this (I’ve also changed the title > to make it hopefully clearer): > > --8<---cut

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Let's try that again: (nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel, @file{~/.guix-profile}, verwijst naar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon om het even wie in @file{/var/guix/profiles/per-user}

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Ludo', Ludovic Courtès 写道： Taking that into account, I propose this (I’ve also changed the title to make it hopefully clearer): Here's my NL translation: (nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel,

bug#37662: substitution failure of nss-certs

Hi Arun, Arun Isaac writes: > I install glibc-locales as a system-wide package in my operating-system > configuration. Perhaps that's what Ludo meant to say. I probably should have mentioned in my initial report that this is Guix running on top of a foreign distro (Arch). -- Josh Holland

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Hi! Thanks for your feedback Tobias, Florian, and Julien! Taking that into account, I propose this (I’ve also changed the title to make it hopefully clearer): --8<---cut here---start->8--- (entry (commit "FIXME") (title (en "Insecure

bug#37775: Python 2.7 not configured for Tk

Thanks! On Wed, Oct 16, 2019 at 3:50 PM Jesse Gibbons wrote: > On Wed, 2019-10-16 at 00:38 -0700, Brian Leung wrote: > > Hi Guix, > > > > Python 2.7 doesn't seem like it handles Tk properly right now, at least > on > > my machine: > > > > >>> import Tkinter > > Traceback (most recent call

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" a écrit : >Hello! > >Here’s a patch that fixes the issue, partly based on what the Nix folks >did. > >For the client-connecting-over-TCP case, I added special handling: >‘set-build-options’ now passes a “user-name” property, potentially

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

On Wed, Oct 16, 2019 at 04:22:21PM +0200, pelzflorian (Florian Pelz) wrote: > Why sudo guix pull? It should be without sudo, am I wrong? > The attached patch adds a German translation. Please remove the last sudo from the de translation too if you agree that it is wrong. Regards, Florian

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

pelzflorian (Florian Pelz) 写道： On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote: blah blah blah Sorry for being imprecise. I meant on Guix System. Sorry for misreading, you're right that it shouldn't be needed (or recommended IMO). Kind regards, T G-R

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote: > pelzflorian (Florian Pelz) 写道： > > Why sudo guix pull? It should be without sudo, am I wrong? > > Guix on ‘foreign’ distributions uses the root profile for the daemon by > default (i.e. in guix-daemon.service). > Sorry

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

pelzflorian, pelzflorian (Florian Pelz) 写道： Why sudo guix pull? It should be without sudo, am I wrong? Guix on ‘foreign’ distributions uses the root profile for the daemon by default (i.e. in guix-daemon.service). You could change this to a regular user's profile, but that amounts to

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Thank you for ensuring security issues are fixed. On Wed, Oct 16, 2019 at 12:22:33PM +0200, Ludovic Courtès wrote: > +This is now fixed by letting @command{guix-daemon} create these directories > on > +behalf of users and removing the world-writable permissions on > +@code{per-user}. On

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Ludo', That was swift, thanks! IANAC++. Ludovic Courtès 写道： diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 3b08492c64..3793382361 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool

bug#37775: Python 2.7 not configured for Tk

On Wed, 2019-10-16 at 00:38 -0700, Brian Leung wrote: > Hi Guix, > > Python 2.7 doesn't seem like it handles Tk properly right now, at least on > my machine: > > >>> import Tkinter > Traceback (most recent call last): > File "", line 1, in > File

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Hello! In addition to the news entry that ‘guix pull’ will display, we may want to publicize the issue. In particular, should we: 1. Apply for a new CVE? 2. Post an article on the blog to explain in detail what happened? That should probably include an analysis like that at

bug#37775: Python 2.7 not configured for Tk

Hi Guix, Python 2.7 doesn't seem like it handles Tk properly right now, at least on my machine: >>> import Tkinter Traceback (most recent call last): File "", line 1, in File "/gnu/store/h2crv1mpc5qi05xdnn84fjp9g4gyicsl-python2-2.7.16/lib/python2.7/lib-tk/Tkinter.py", line 39, in

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Hi Tobias, Tobias Geerinckx-Rice skribis: > No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’. > > Of course the remote daemon doesn't trust me beyond pre-creating an > empty per-user directory owned by the local "ludo" user only if such a > user exists. It doesn't even report succes or