Your message dated Sun, 28 Mar 2021 03:48:34 +0000 with message-id <e1lqmpi-000bef...@fasolo.debian.org> and subject line Bug#985467: fixed in guix 1.2.0-4 has caused the Debian Bug report #985467, regarding guix: Risk of local privilege escalation via guix-daemon to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985467 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: guix Version: 1.2.0-3 Severity: important Dear Maintainer, Hi, I saw an announcement that there is a risk of local privilege escalation via the guix daemon. https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix- daemon/ It says that "Machines where the Linux protected hardlinks feature is enabled, which is common, are also unaffected — this is the case when the contents of /proc/sys/fs/protected_hardlinks are 1." which appears to be true on my system. We probably should still apply the fix to our guix-daemon. Thanks Diane -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-debug'), (500, 'testing'), (500, 'stable'), (110, 'unstable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages guix depends on: ii guile-2.2 2.2.7+1-5.4 ii guile-2.2-libs 2.2.7+1-5.4 ii guile-gcrypt 0.3.0-3 ii guile-git 0.4.0-3 ii guile-gnutls 3.7.0-7 ii guile-json 4.3.2-2 ii guile-lzlib 0.0.2-2 ii guile-sqlite3 0.1.3-2 ii guile-ssh 0.13.1-4 ii guile-zlib 0.0.1-3 ii libbz2-1.0 1.0.8-4 ii libc6 2.31-9 ii libgcc-s1 10.1.0-1 ii libgcrypt20 1.8.7-3 ii libsqlite3-0 3.34.1-3 ii libssh-dev 0.9.5-1 ii libstdc++6 10.1.0-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages guix recommends: ii nscd 2.31-9 ii systemd 247.3-1 guix suggests no packages.
--- End Message ---
--- Begin Message ---Source: guix Source-Version: 1.2.0-4 Done: Vagrant Cascadian <vagr...@debian.org> We believe that the bug you reported is fixed in the latest version of guix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian <vagr...@debian.org> (supplier of updated guix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 Mar 2021 19:18:29 -0700 Source: guix Architecture: source Version: 1.2.0-4 Distribution: unstable Urgency: medium Maintainer: Vagrant Cascadian <vagr...@debian.org> Changed-By: Vagrant Cascadian <vagr...@debian.org> Closes: 983248 985467 985916 Changes: guix (1.2.0-4) unstable; urgency=medium . * debian/patches: Fix privilege escalation issue in guix-daemon. (Closes: #985467) * debian/patches: Update init script to fix guix-daemon path. Thanks to florine forine. (Closes: #983248) * Add README.Debian documenting running with sysvinit and describing differences with other methods of installing guix. (Closes: #983248) * debian/patches: Adjust init script to use the _guixbuild group. * sysusers.d/guix-daemon.conf: Explicitly create _guixbuild group to workaround a bug in opensysusers. * Install /etc/profile.d/guix.sh to ensure proper functioning of guix profiles. (Closes: #985916) Checksums-Sha1: f8dfaa4d0377d6f21827a9111098a26a70e8de75 1778 guix_1.2.0-4.dsc 0e6b5c564022f5a7b9aa7b387934b0da72c69875 36692 guix_1.2.0-4.debian.tar.xz b0d0ca7871a4b2a138afb062cbfc9c16285c294c 9742 guix_1.2.0-4_amd64.buildinfo Checksums-Sha256: d7e5a8f680f1d76d83c5e0b8a133ba5c5992cfb5b49a213cd668cde49e1b680c 1778 guix_1.2.0-4.dsc 9f935efa05853aef7aeb6f43b1836de278e7e80c3615e320bc644fdf263e679c 36692 guix_1.2.0-4.debian.tar.xz 62b019769f4d29b1ecfd095da5751095ae1e8d868f96e09e25cedf564ae08e95 9742 guix_1.2.0-4_amd64.buildinfo Files: d93b46571216dc088c39f53c18d9597a 1778 admin optional guix_1.2.0-4.dsc fa31dd3143b4aca8ff6192de0f5c70c6 36692 admin optional guix_1.2.0-4.debian.tar.xz 1f691ea021097c75e4f6da7082251ce9 9742 admin optional guix_1.2.0-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYF/6uBMcdmFncmFudEBk ZWJpYW4ub3JnAAoJENxRj8h/lxaqW6kBAPO9Zlb7leTroH0sr8Fk9KfoFlHQS/9N ppLscq/1E1L0AP9cdautPZbxl0k3rJEkoSYsh3fnDjMp6ylX2iHBBH2xDQ== =ycUN -----END PGP SIGNATURE-----
--- End Message ---
