Guix and nix have a bunch of vulnerabilities

BrownJenkin · June 25, 2025, 2:31am

The versions in PureOS are very old. Is there a security fix coming?

FranklyFlawless · June 25, 2025, 2:40am

Eventually.

JR-Fi · June 25, 2025, 2:53am

Trying to put this more into perspective: the fix would be simple (update guix), but at the moment the - as far as I quickly read the notices - the threat to users is very limited at best. From the notice:

Both exploits require the ability to start a derivation build. CVE-2025-46415 requires the ability to create files in /tmp in the root mount namespace on the machine the build occurs on, and CVE-2025-46416 requires the ability to run arbitrary code in the root PID and network namespaces on the machine the build occurs on. As such, this represents an increased risk primarily to multi-user systems

This implies that an attacker needs to already have access in to the device in order to try this privilege escalation, so there would need to be at least a few other vulnerabilities exploited first. In general, there are (or so you should expect) several similar threats, so nothing new there. There are several (“all”) old versions in byzantium. Hopefully this gets solved when Crimson comes (“eventually”), the latest. Backports could have it done sooner (depending on how complex the dependencies are - eh, @galilley…?).

galilley · June 25, 2025, 3:27am

Which versions of these packages contain the security patches? I could build them for Crimson.

irvinewade · June 25, 2025, 3:31am

Are the relevant packages part of a vanilla PureOS install?

Are they even in the repo??

JR-Fi · June 25, 2025, 3:54am

On the Nix post they had a list that I assume uses the same version numbers as does debian (crim backports - and I think byz too - currently uses guix 1.40.0-3 and I’m not sure if nix and lix are relevant)

The following versions contain the fixes. Versions older than the listed ones must be considered impacted:

Nix
        Affected versions: <= 2.24.14, <= 2.26.3, <= 2.28.3, <= 2.29.0
        Fixed versions: 2.24.15, 2.26.4, 2.28.4, 2.29.1 (no fix for CVE-2025-46416 for now)
    Lix
        Affected versions: <= 2.91.1, <= 2.92.1, <= 2.93.0
        Fixed versions: 2.91.2, 2.92.2, 2.93.1 (CVE-2025-46416 is fixed when the Pasta or LSM mitigations are enabled)
    Guix
        Affected versions: <= 1.4.0-37.096dedd
        Fixed versions: 1.4.0-38.0e79d5b

JR-Fi · June 26, 2025, 4:41am

And just to bumb the thought, this is again a reminder why an automated tracking of these would be useful for Purism and users. More about it here: CVE database for L5 (and other Purism devices)?