Privilege Escalation Vulnerability in GNU Guix's guix-daemon
CVE-2024-52867

8.1HIGH

Key Information:

Vendor: GNU Guix
Vendor: CVE Published:; 17 November 2024

Summary

The guix-daemon in GNU Guix prior to commit 5ab3c4c allows local users to escalate privileges through unaddressed build output access. This vulnerability pertains to the inadequate handling of file metadata, particularly for setuid and setgid programs. To mitigate this vulnerability, users are advised to perform specific pull, reconfiguration, and restart actions. The fixes in both commits 5ab3c4c and 5582241 are necessary to secure the system against this issue.

References

https://guix.gnu.org/en/blog/2024/build-user-takeover-vul...

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558...

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 17, 2024
Vulnerability Reserved
Nov 17, 2024