Your message dated Mon, 22 Apr 2024 21:02:37 +0000
with message-id <e1rz0o9-0065ss...@fasolo.debian.org>
and subject line Bug#1066113: fixed in guix 1.2.0-4+deb11u2
has caused the Debian Bug report #1066113,
regarding guix: CVE-2024-27297
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1066113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: guix
Version: 1.4.0-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.2.0-4+deb11u1
Hi,
Vagrant, knowing that you are awaere already, but filling for having a
Debian bug tracking reference.
The following vulnerability was published for guix.
CVE-2024-27297[0]:
| Nix is a package manager for Linux and other Unix systems. A fixed-
| output derivations on Linux can send file descriptors to files in
| the Nix store to another program running on the host (or another
| fixed-output derivation) via Unix domain sockets in the abstract
| namespace. This allows to modify the output of the derivation, after
| Nix has registered the path as "valid" and immutable in the Nix
| database. In particular, this allows the output of fixed-output
| derivations to be modified from their expected content. This issue
| has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27297
https://www.cve.org/CVERecord?id=CVE-2024-27297
[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: guix
Source-Version: 1.2.0-4+deb11u2
Done: Vagrant Cascadian <vagr...@debian.org>
We believe that the bug you reported is fixed in the latest version of
guix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagr...@debian.org> (supplier of updated guix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Apr 2024 15:39:38 -0700
Source: guix
Architecture: source
Version: 1.2.0-4+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Vagrant Cascadian <vagr...@debian.org>
Changed-By: Vagrant Cascadian <vagr...@debian.org>
Closes: 1066113
Changes:
guix (1.2.0-4+deb11u2) bullseye-security; urgency=medium
.
* debian/patches: guix-daemon: Protect against file descriptor escape
when building fixed-output derivations (CVE-2024-27297).
(Closes: #1066113)
Checksums-Sha1:
28b4569f128da111e30db1dd880c7553a157522a 1810 guix_1.2.0-4+deb11u2.dsc
9245bd579c15a089fecb4fde0d9e2fc43af4e0fa 30564986 guix_1.2.0.orig.tar.gz
e34806e9aef744309a6901ee70299b96a25f455c 833 guix_1.2.0.orig.tar.gz.asc
881577cdea7ff9de3e8107faf37e8753e2fac35f 40996
guix_1.2.0-4+deb11u2.debian.tar.xz
057d4000fdbf4bf010fc1d60c39ba1a90caca163 10498
guix_1.2.0-4+deb11u2_amd64.buildinfo
Checksums-Sha256:
365f2076c2f421edc202522f146b79df4b3a3797a5eb25790ef9222c6f00458e 1810
guix_1.2.0-4+deb11u2.dsc
5ecdf7ced25b1fb0ca7c57e794b7b60c8a7adcb15261dec2af37925c838c6d74 30564986
guix_1.2.0.orig.tar.gz
e278e3aba3fe9acd35aa6586933d940f0c847ccfb6d1370cb5c4f754732d2fb6 833
guix_1.2.0.orig.tar.gz.asc
05e9b181607c3e07a65f43223a2c600651ec8b32fbe6faf0db895d339576e158 40996
guix_1.2.0-4+deb11u2.debian.tar.xz
14ecbba7b1bf646546d99ec53e727e3664c10c21d43d34f3ad068d1647bcedb1 10498
guix_1.2.0-4+deb11u2_amd64.buildinfo
Files:
e685bc2cbdcb0a9172008a20ef634536 1810 admin optional guix_1.2.0-4+deb11u2.dsc
f11073e551eaf9ae7119cd90671c0d90 30564986 admin optional guix_1.2.0.orig.tar.gz
bbed756aaf1d8303a14cc9b5fdc05066 833 admin optional guix_1.2.0.orig.tar.gz.asc
d09141d2b754aff550b959148df45994 40996 admin optional
guix_1.2.0-4+deb11u2.debian.tar.xz
fbe95bfe922c77ccbace88ff1eb1b089 10498 admin optional
guix_1.2.0-4+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZiBcfRMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaqZpABAIAoNFxOkzrGMIcT75zxlhwwYqM4J07t
k+iYYQ45njCpAQCNH089MIj0Xu1Fp4S+7N7ORPlWPCtmodKk0DxldRe6CA==
=d+ze
-----END PGP SIGNATURE-----
pgpE_tFLVMv2o.pgp
Description: PGP signature
--- End Message ---
