Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport release-24.05] guix: backport build user takeover commits #351910

Merged
merged 2 commits into from
Oct 29, 2024
Merged

[Backport release-24.05] guix: backport build user takeover commits #351910

merged 2 commits into from
Oct 29, 2024

Conversation

wegank
Copy link
Member

@wegank wegank commented Oct 28, 2024

Bot-based Manual backport to release-24.05, triggered by a label in #351655.

  • Before merging, ensure that this backport is acceptable for the release.
    • Even as a non-commiter, if you find that it is not acceptable, leave a comment.

@cafkafk @wegank
guix: format with rfc-style
4fbe49d 
Signed-off-by: Christina Sørensen <[email protected]>
(cherry picked from commit 42fee36)
@cafkafk @wegank
guix: build user takeover patch
0ab5170 
guix has recently announced a security vulnerability that allows
local users to gain priveleges of build users, and further manipulate
output of any build (including with setguid).

This commit fixes the issue by backporting the remediation commits pushed to
guix main to 1.4.0 as a patch.

Users will still have to reboot and follow other remediation steps as
described in the guix blogpost.

Refs: https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
Signed-off-by: Christina Sørensen <[email protected]>
(cherry picked from commit 633a3b8)
@wegank wegank added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 28, 2024
@ofborg ofborg bot requested review from foo-dogsquared and cafkafk October 28, 2024 17:56
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels Oct 28, 2024
@cafkafk cafkafk merged commit 827dd72 into release-24.05 Oct 29, 2024
29 of 31 checks passed
@cafkafk cafkafk deleted the backport-351655-to-release-24.05 branch October 29, 2024 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cafkafk cafkafk cafkafk approved these changes

@foo-dogsquared foo-dogsquared Awaiting requested review from foo-dogsquared

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wegank @cafkafk