#1108318 guix: CVE-2025-46415 CVE-2025-46416 CVE-2025-52991 CVE-2025-52992 CVE-2025-52993

Package:
src:guix
Source:
src:guix
Submitter:
Salvatore Bonaccorso
Date:
2025-07-28 03:27:02 UTC
Severity:
normal
Tags:
#1108318#5
Date:
2025-06-25 20:55:18 UTC
From:
To:
Hi,

The following vulnerabilities were published for guix.

CVE-2025-46415[0], CVE-2025-46416[1], CVE-2025-52991[2],
CVE-2025-52992[3], CVE-2025-52993[4].


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-46415
https://www.cve.org/CVERecord?id=CVE-2025-46415
[1] https://security-tracker.debian.org/tracker/CVE-2025-46416
https://www.cve.org/CVERecord?id=CVE-2025-46416
[2] https://security-tracker.debian.org/tracker/CVE-2025-52991
https://www.cve.org/CVERecord?id=CVE-2025-52991
[3] https://security-tracker.debian.org/tracker/CVE-2025-52992
https://www.cve.org/CVERecord?id=CVE-2025-52992
[4] https://security-tracker.debian.org/tracker/CVE-2025-52993
https://www.cve.org/CVERecord?id=CVE-2025-52993
[5] https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1108318#10
Date:
2025-07-15 20:19:35 UTC
From:
To:
The upstream patchset to fix this is comingled with a lot of other
upstream changes, but there is some work and discussion about
backporting the needed fixes:

https://lists.gnu.org/archive/html/guix-devel/2025-07/msg00098.html

But the comingling with other changes makes this trickier than in the past.


I've just managed for the first time to get something to compile at all
with the security fixes applied:

https://codeberg.org/GNUtoo/guix-security-fixes/commits/branch/guix-1.4.0-2025-security-fixes

But that also includes all the other unrelated changes, although it
fails a few new tests now...


Guix is basically a rolling release model, and up till recently, there
had been little active development on the affected parts other than
security fixes, so previous security fixes were a bit more reasonable to
apply, even across pretty old versions... but here we are right now.

Curiously, those "unrelated" changes are actually to allow running
guix-daemon as an unprivledged user, which has obvious security
benefits! ... Just not appropriate for Debian's typical security update
model.


I am not sure about the future of Guix in Debian at this point, but if
we can actually get a few people working together on backporting the
security fixes (either officially or unofficially), obviously that will
help!


live well,
  vagrant

#1108318#15
Date:
2025-07-28 03:24:07 UTC
From:
To:
Great!

Is it possible that the security vulnerability was introduced after
1.4.0 ... And not introduced in the security patches currently included
in Debian? Or running under systemd somehow makes the reproducer or
vulnerability fail to work... or something else entirely?

I honestly (foolishly, in retrospect) had not evaluated these
possibilities...  Partly, because I had thought it was also present in
Nix...

I've CCed the bug in Debian tracking this issue...

live well,
  vagrant