Hasty Briefsbeta

Bilingual

Guix substitute and guix pull vulnerabilities

7 hours ago
  • #guix
  • #vulnerability
  • #security
  • Guix substitute utility has vulnerabilities enabling remote privilege escalation, store corruption, and file disclosure, affecting all systems regardless of root privileges.
  • Exploitation requires downloading a binary substitute; any substitute server or MITM can attack, even with HTTPS, and local exploitation requires socket access.
  • Guix pull and guix time-machine have a vulnerability allowing channel file control to create or overwrite files, mainly causing denial-of-service risks.
  • Four specific vulnerabilities are detailed: restore-file not hardened, fetch-narinfos not verifying URLs, file:// URI issues, and cache-key misuse.
  • Mitigation includes disabling substitutes with --no-substitutes, avoiding untrusted channels files, and updating to fixed commits via guix pull and daemon restart.
  • Fixes involve hardening restore-file, verifying narinfos, restricting file:// URIs, and modifying cache-key derivation to prevent directory traversal.
  • Upgrading instructions vary for Guix System and other distributions, emphasizing immediate updates and cautious substitute use during the process.
  • Timeline shows discovery from May to June 2026, with coordinated disclosure and fixes via pull request #9665.
  • A test script is provided to check vulnerability status, with code included for validation.