Guix substitute and guix pull vulnerabilities
7 hours ago
- #guix
- #vulnerability
- #security
- Guix substitute utility has vulnerabilities enabling remote privilege escalation, store corruption, and file disclosure, affecting all systems regardless of root privileges.
- Exploitation requires downloading a binary substitute; any substitute server or MITM can attack, even with HTTPS, and local exploitation requires socket access.
- Guix pull and guix time-machine have a vulnerability allowing channel file control to create or overwrite files, mainly causing denial-of-service risks.
- Four specific vulnerabilities are detailed: restore-file not hardened, fetch-narinfos not verifying URLs, file:// URI issues, and cache-key misuse.
- Mitigation includes disabling substitutes with --no-substitutes, avoiding untrusted channels files, and updating to fixed commits via guix pull and daemon restart.
- Fixes involve hardening restore-file, verifying narinfos, restricting file:// URIs, and modifying cache-key derivation to prevent directory traversal.
- Upgrading instructions vary for Guix System and other distributions, emphasizing immediate updates and cautious substitute use during the process.
- Timeline shows discovery from May to June 2026, with coordinated disclosure and fixes via pull request #9665.
- A test script is provided to check vulnerability status, with code included for validation.