|
From: | Ludovic Courtès |
Subject: | bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) |
Date: | Mon, 14 Oct 2019 09:47:35 +0200 |
User-agent: | Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello Guix, That the per-user profile directory is world-writable allows an attacker to hijack code run by other users, as has been reported in the context of Nix: https://www.openwall.com/lists/oss-security/2019/10/09/4 I believe it applies to Guix as well. Nix people are tracking it here: https://github.com/NixOS/nix/pull/3134 https://github.com/NixOS/nix/issues/509 Looks like we’ll need to do something similar to: <https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>. Thoughts? Thanks, Ludo’.
[Prev in Thread] | Current Thread | [Next in Thread] |