CVE-2024-52867

NameCVE-2024-52867
Descriptionguix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3959-1, DSA-5805-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
guix (PTS)bullseye1.2.0-4+deb11u2vulnerable
bullseye (security)1.2.0-4+deb11u3fixed
bookworm1.4.0-3+deb12u1vulnerable
bookworm (security)1.4.0-3+deb12u2fixed
sid, trixie1.4.0-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
guixsourcebullseye1.2.0-4+deb11u3DLA-3959-1
guixsourcebookworm1.4.0-3+deb12u2DSA-5805-1
guixsource(unstable)1.4.0-8

Notes

https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
Fixed by: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558224140dab669cabdaebabff18504a066c48d4
Fixed by: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab3c4c1e43ebb637551223791db0ea3519986e1
Search for package or bug name: Reporting problems