On 2024-03-13, Vagrant Cascadian wrote: > On 2024-03-12, Vagrant Cascadian wrote: >> On 2024-03-12, Salvatore Bonaccorso wrote: > I have now tested an updated 1.4.x package on bookworm and a 1.2.x > package on bullseye, and the reproducer (with a small change for 1.2.x) > was able to reproduce the problem before upgrading to the patched > versions, but not after upgrading to a patched version. > > I've pushed fixes to various branches; debian/latest (for unstable), > debian/bookworm and debian/bullseye: > > https://salsa.debian.org/debian/guix/
Attached should be debdiffs for updates for bookworm and bullseye. Let me know if I should upload them or if someone from the security team will! Guix did make a good blog post, and I am wondering if just referencing it is sufficient, or if we should provide some of the instructions directly in the secucity announcement? https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ The main things we might want to highlight are checking for corrupt items in the store (which may be expensive, depending on how big of an installation) and maybe also running the reproducer script (which needs changes mentioned previously in order to work with 1.2.x from bullseye). Hrm. The upgrading instructions from the blog post are not really relevent, as they are simply handled with "apt upgrade", so that might be a little confusing. live well, vagrant
guix_1.2.0-4+deb11u2.debdiff
Description: Binary data
guix-1.4.0-3+deb12u1.debdiff
Description: Binary data
signature.asc
Description: PGP signature