Substitution Vulnerabilities
GNU Guix has disclosed four critical security issues that affect its package substitution and channel management features. The most serious flaws are in the guix substitute utility, which handles binary package downloads. A malicious substitute server or a man in the middle attacker could send a crafted archive that writes arbitrary files accessible to the daemon user. This attack does not require compromising the official Guix server. Any configured substitute server can deliver malicious content, including servers discovered automatically via the daemon’s discovery option. Even using HTTPS does not fully prevent exploitation because the vulnerable metadata fetching process did not properly bind download URLs to signed metadata.
A second substitution flaw allows a malicious source to return authorized metadata for a different store item than requested. This could trick the package manager into using an unintended but signed store item, potentially forcing systems to install outdated or insecure software versions. A third vulnerability involves file URLs. Untrusted local clients that can access the guix daemon socket could instruct the daemon to read local files. If a readable file triggers an error during metadata parsing, its contents may appear in an error backtrace exposed to the client.
Channel Authentication Issue
Separately, the guix pull and guix time machine commands contained a path traversal problem in channel authentication caching. An attacker controlling a channel file could use a crafted channel name to create or overwrite files writable by the user running the command. The project assesses the most likely impact as denial of service, though further abuse may be possible in unusual configurations.
Guix developers fixed all issues through a series of commits. Users should update guix and guix daemon to a version that includes commit 897832f374dcdc9eeaf19d01e70b9a92fccfc68c or later. Administrators on exposed systems may want to temporarily use the no substitutes option during upgrades while weighing that against the difficulty of building updates locally. Guix also provides a Scheme based checker to determine if a system remains vulnerable to these four flaws.
Source: Cyber Security News
