CVE-2017-1000455 — Origin Validation Error in Guixsd

CWE-346 — Origin Validation Error3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 94.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Guixsd Debian Guix

Timeline

PublishedJan 2

Latest updateMay 14

Description

GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "the store", violating a fundamental security assumption of GNU Guix.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDgnu/guixsd0.13.0

▶debiandebian/guix

Patches

Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-4rwh-hg22-2pc2: GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "↗2022-05-14

▶

📋Vendor Advisories

Debian

CVE-2017-1000455: guix - GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX h...↗2017

▶