Recent security issues (guix-daemon and xz)

[John Kehayias]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmYIhx0dHGpvaG4ua2Vo
YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdmOLw//dXLjX82YYaQeEpbp
a0xNswh4OyHKDpMwy8rE2sWbQ7Ckivu79e+0m8wGbzf1+K4SB37CaxT2g9/98uRB
Vm5XiztOmnx83aqin4DS141FR8mVFUz+7YzqNP5iZNq+x+s3OBlWE3D3fxiD5dnj
9ZFNfGev8tgNyYrQ6Sa6ftXBvK61O20kWMa23BsFojZiSldyZO+ELP6fNIg0Pc9z
pZdbP3l5Y5sInPe+mNNJG/SLgOXnovGA/Cg/4N+JciF490bwWnMR6HrtSHAONJKk
VtBPgKBYoIUtQFTD0922+2ykfBKGL4R4KdlXXChwqLLeFYZ6K4NHK4RD4tXLbW2H
KH3z72dHennuLAeyOxvUu7BBJnEKNGJ8DWdXF0g4HnbbaCADxuLvM70i3ddOBLuq
cQuHuzLZH/anynCGHclwj4I0ZPP8i8tZVUhGdRQ+skXTVySx5me6aG7Yc9bRYNyy
v7Aafdf4jdBGIEEy1oBvrZFLnp1VUOBEcWRWTOQNlmBOjy52kxpUD/bzSVSQErft
yLBd58VBicOsrm/hPZZ9NVvOfaxZn4LY1/fmMKX58JQJUv+OaepwVE42icX5EqT6
JVCHXNhoJ0xqBCIhfid+KHwO7ePjXJoVaShzs864OVwx3IyPaphbGH3/XL6sutJb
ncmpTQzJJllME60zLO+4fQzNtq4=
=SYeT
-----END PGP SIGNATURE-----
Hi Guix-ers,

Two security issues I would like to briefly draw attention to:

First, a belated (sorry!) note about a security issue that was
originally found in Nix but also affects the guix-daemon. All users
are strongly encouraged to update their guix-daemon. For details about
this security issue, how to check if you are on an impacted version,
and most importantly how to upgrade, please see the blog post:

<https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/>

Secondly, perhaps many have heard of the recent security issue
(backdoor) in the xz project:

- <https://www.openwall.com/lists/oss-security/2024/03/29/4> (original
  disclosure)

- <https://nvd.nist.gov/vuln/detail/CVE-2024-3094> (CVE-2024-3094)

As far as I, and those I've discussed with, can tell, Guix is *not*
affected. For one, we are currently on an older version, 5.2.8, which
I believe also predates most or all of the contributions made by the
identity associated with the backdoor. We also don't fit what we
currently know about when the backdoor is enabled in the build, due to
our packaging not being one of the targets, as well as not using
systemd (which provided a link between sshd and xz), among other
factors.

This is an evolving situation with many current discussions online. I
also just noticed that the xz project has a page identifying this
backdoor and what they are currently doing:
<https://tukaani.org/xz-backdoor/>. Though given how this exploit has
come about, we should remain skeptical and vigilant.

Let me stress that there is much we don't know. There certainly
remains the possibility of other exploits or malicious code to be
discovered, as well as looking at contributions made via the same user
identifier to other projects. We will be keeping a close eye on this,
but please report any security issues to <guix-security@gnu.org>.

I hope this was helpful and assuring but I welcome feedback on any of
this. While I am on guix-security, please note I wrote this message
independently to be timely and hopefully assuage any questions.

I hope otherwise everyone is having a great weekend and that your Guix
machines (and all the others!) are humming along happily!

John Kehayias