GNU Guix, a functional package manager for the GNU system, has disclosed four critical security vulnerabilities affecting its package substitution and channel management features. These flaws pose significant risks, including remote privilege escalation, data corruption, and unauthorized file access.
Details of the Vulnerabilities
Three of the identified vulnerabilities reside in the ‘guix substitute’ utility:
- Remote Privilege Escalation: The ‘restore-file’ procedure, responsible for unpacking binary substitutes, previously extracted archives during download, prior to verifying their full hash. This oversight allows a malicious substitute server or a man-in-the-middle attacker to craft an archive that writes arbitrary files accessible to the daemon user.
- Store Corruption: A flaw permits a malicious substitute source to return authorized metadata for one store item when Guix requests metadata for another. This manipulation can lead the package manager to install unintended or outdated software versions, compromising system integrity.
- Local Information Disclosure: The handling of ‘file://’ URLs enables untrusted local clients with access to the default ‘guix-daemon’ socket to instruct the daemon to read files via local file URIs. If a readable file triggers an error during narinfo parsing, its contents may appear in an error backtrace returned to the client, potentially exposing sensitive information.
The fourth vulnerability affects the ‘guix pull’ and ‘guix time-machine’ commands. A path traversal issue in channel authentication caching allows an attacker controlling a channel file to use a crafted channel name to create or overwrite files writable by the user running the command. While the most practical impact is assessed as denial-of-service, further exploitation may be possible in certain environments.
Implications and Mitigation
These vulnerabilities impact Guix systems regardless of whether ‘guix-daemon’ runs with root privileges. However, systems where the daemon operates as root face more severe potential consequences, such as unauthorized modifications to critical files like ‘/etc/passwd’.
To address these issues, Guix developers have released patches. Users are strongly advised to upgrade ‘guix’ and ‘guix-daemon’ to commit ‘897832f374dcdc9eeaf19d01e70b9a92fccfc68c’ or later. During the upgrade process, administrators should consider using the ‘–no-substitutes’ option, especially on exposed systems, to mitigate risks associated with substitute servers. However, this approach requires building updates locally, which may be resource-intensive.
Additionally, Guix provides a Scheme-based checker to help users determine if their systems remain vulnerable to these flaws.
These vulnerabilities underscore the critical importance of rigorous security practices in package management systems. Users and administrators must remain vigilant, promptly applying updates and patches to safeguard their systems against potential exploits.