GNU Guix Vulnerabilities Allow Remote Privilege Escalation via Malicious Binary Substitutes

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

GNU Guix has disclosed four serious security vulnerabilities affecting its package substitution and channel-management features.

Three flaws in the guix substitute utility can enable remote privilege escalation, corruption of stored data, and local disclosure of files readable by the build daemon user. At the same time, a fourth issue affects guix pull and guix time-machine.

The issues affect Guix systems regardless of whether guix-daemon runs as root. However, the potential impact is more severe on systems where the daemon has root privileges, because an attacker could potentially write files in sensitive locations such as /etc/passwd.

GNU Guix Vulnerabilities

The most critical flaw exists in the restore-file procedure used to unpack binary substitutes. Guix previously extracted substitute archives while they were still downloading, before the full archive hash was verified.

A malicious substitute server, or a man-in-the-middle attacker impersonating one, could send a crafted archive that writes arbitrary files accessible to the daemon user.

This attack does not require a compromised official Guix server. Any configured substitute server can deliver malicious content, including those discovered via the daemon’s --discover option.

Using HTTPS alone does not fully prevent exploitation because the vulnerable narinfo metadata-fetching process did not securely bind the substitute download URL to signed metadata.

A second issue allows a malicious substitute source to return authorized metadata for one store item when Guix requests metadata for another.

This can make the package manager use an unintended but signed store item, potentially forcing systems to install outdated or insecure software versions.

The third guix substitute vulnerability involves file:// URLs. Untrusted local clients that can access the default guix-daemon socket could instruct the daemon to read files via local file URIs.

If a readable file triggers an error during narinfo parsing, its contents may appear in an error backtrace returned to the client, exposing secrets accessible to the daemon account.

Separately, guix pull and guix time-machine contained a path traversal issue in channel authentication caching.

An attacker controlling a channel file could use a crafted channel name to create or overwrite files writable by the user running the command.

The project assesses the most practical impact as denial-of-service, although further abuse may be possible in unusual environments.

Guix developers fixed the issues through a series of commits in pull request #9665. Users should upgrade guix and guix-daemon to commit 897832f374dcdc9eeaf19d01e70b9a92fccfc68c or later.

Administrators should consider temporarily using --no-substitutes during upgrades, particularly on exposed systems, but must weigh that decision against the difficulty of building updates locally.

Guix also provides a Scheme-based checker that reports whether a system remains vulnerable to the four identified flaws.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide