Hi, The following vulnerabilities were published for guix. CVE-2025-46415[0], CVE-2025-46416[1], CVE-2025-52991[2], CVE-2025-52992[3], CVE-2025-52993[4]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46415 https://www.cve.org/CVERecord?id=CVE-2025-46415 [1] https://security-tracker.debian.org/tracker/CVE-2025-46416 https://www.cve.org/CVERecord?id=CVE-2025-46416 [2] https://security-tracker.debian.org/tracker/CVE-2025-52991 https://www.cve.org/CVERecord?id=CVE-2025-52991 [3] https://security-tracker.debian.org/tracker/CVE-2025-52992 https://www.cve.org/CVERecord?id=CVE-2025-52992 [4] https://security-tracker.debian.org/tracker/CVE-2025-52993 https://www.cve.org/CVERecord?id=CVE-2025-52993 [5] https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
The upstream patchset to fix this is comingled with a lot of other upstream changes, but there is some work and discussion about backporting the needed fixes: https://lists.gnu.org/archive/html/guix-devel/2025-07/msg00098.html But the comingling with other changes makes this trickier than in the past. I've just managed for the first time to get something to compile at all with the security fixes applied: https://codeberg.org/GNUtoo/guix-security-fixes/commits/branch/guix-1.4.0-2025-security-fixes But that also includes all the other unrelated changes, although it fails a few new tests now... Guix is basically a rolling release model, and up till recently, there had been little active development on the affected parts other than security fixes, so previous security fixes were a bit more reasonable to apply, even across pretty old versions... but here we are right now. Curiously, those "unrelated" changes are actually to allow running guix-daemon as an unprivledged user, which has obvious security benefits! ... Just not appropriate for Debian's typical security update model. I am not sure about the future of Guix in Debian at this point, but if we can actually get a few people working together on backporting the security fixes (either officially or unofficially), obviously that will help! live well, vagrant
Great! Is it possible that the security vulnerability was introduced after 1.4.0 ... And not introduced in the security patches currently included in Debian? Or running under systemd somehow makes the reproducer or vulnerability fail to work... or something else entirely? I honestly (foolishly, in retrospect) had not evaluated these possibilities... Partly, because I had thought it was also present in Nix... I've CCed the bug in Debian tracking this issue... live well, vagrant