Debian Guix vulnerabilities

CVE-2025-59378 [MEDIUM] CVE-2025-59378: guix - In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can ... In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended). Scope: local bullseye: open sid: open

CVE-2025-52993 [MEDIUM] CVE-2025-52993: guix - A race condition in the Nix, Lix, and Guix package managers enables changing the... A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. Scope: local bullseye: open sid: open

CVE-2025-52991 [LOW] CVE-2025-52991: guix - The Nix, Lix, and Guix package managers default to using temporary build directo... The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix

CVE-2025-46415 [LOW] CVE-2025-46415: guix - A race condition in the Nix, Lix, and Guix package managers allows the removal o... A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. Scope: local bullseye: open sid: open

CVE-2025-46416 [LOW] CVE-2025-46416: guix - The Nix, Lix, and Guix package managers allow a bypass of build isolation in whi... The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. Scope: local bullseye: open sid: open

CVE-2025-52992 [LOW] CVE-2025-52992: guix - The Nix, Lix, and Guix package managers fail to properly set permissions when a ... The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. Scope: local bullseye: open sid: ope

CVE-2024-52867 [HIGH] CVE-2024-52867: guix - guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build... guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the v

CVE-2024-27297 [MEDIUM] CVE-2024-27297: guix - Nix is a package manager for Linux and other Unix systems. A fixed-output deriva... Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid

CVE-2021-27851 [MEDIUM] CVE-2021-27851: guix - A security vulnerability that can lead to local privilege escalation has been fo... A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned

CVE-2019-18192 [HIGH] CVE-2019-18192: guix - GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account ... GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365. Scope: local bullseye: resolved sid: resolved

CVE-2017-1000455 [MEDIUM] CVE-2017-1000455: guix - GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX h... GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "the store", violating a fundamental security assumption of GNU Guix. Scope: local bullseye: resolved sid: resolved