04/04: news: Add entry for user account activation vulnerability.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

04/04: news: Add entry for user account activation vulnerability.

From:	guix-commits
Subject:	04/04: news: Add entry for user account activation vulnerability.
Date:	Sat, 3 Apr 2021 16:10:41 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit 72f911bf059ec3d984dbc2d22e02165940cb9983
Author: Maxime Devos <maximedevos@telenet.be>
AuthorDate: Sat Apr 3 12:19:10 2021 +0200

    news: Add entry for user account activation vulnerability.
    
    * etc/news.scm: Add entry.
    
    Co-authored-by: Ludovic Courtès <ludo@gnu.org>
---
 etc/news.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/etc/news.scm b/etc/news.scm
index 6d7a4a9..9b23c7c 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -13,6 +13,7 @@
 ;; Copyright © 2021 Leo Famulari <leo@famulari.name>
 ;; Copyright © 2021 Zhu Zihao <all_but_last@163.com>
 ;; Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
+;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;
 ;; Copying and distribution of this file, with or without modification, are
 ;; permitted in any medium without royalty provided the copyright notice and
@@ -21,6 +22,26 @@
 (channel-news
  (version 0)
 
+ (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586")
+        (title
+         (en "Risk of local privilege escalation during user account 
creation"))
+        (body
+         (en "A security vulnerability that can lead to local privilege
+escalation has been found in the code that creates user accounts on Guix
+System---Guix on other distros is unaffected.  The system is only vulnerable
+during the activation of user accounts that do not already exist.
+
+The attack can happen when @command{guix system reconfigure} is running.
+Running @command{guix system reconfigure} can trigger the creation of new user
+accounts if the configuration specifies new accounts.  If a user whose account
+is being created manages to log in after the account has been created but
+before ``skeleton files'' have been copied to its home directory, they may, by
+creating an appropriately-named symbolic link in the home directory pointing
+to a sensitive file, such as @file{/etc/shadow}, get root privileges.
+
+See @uref{https://issues.guix.gnu.org/47584} for more information on this
+bug.")))
+
  (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06")
         (title
          (en "New supported platform: powerpc64le-linux")

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (b495254 -> 72f911b), guix-commits, 2021/04/03
- 02/04: daemon: Remove dead code., guix-commits, 2021/04/03
- 01/04: services: guix-publish: Add zstd compression by default., guix-commits, 2021/04/03
- 03/04: activation: Do not dereference symlinks during home directory creation., guix-commits, 2021/04/03
- 04/04: news: Add entry for user account activation vulnerability., guix-commits <=

Prev by Date: 03/04: activation: Do not dereference symlinks during home directory creation.
Next by Date: branch master updated: news: Recommend upgrade for account activation vulnerability.
Previous by thread: 03/04: activation: Do not dereference symlinks during home directory creation.
Next by thread: branch master updated: news: Recommend upgrade for account activation vulnerability.
Index(es):
- Date
- Thread