Hi, On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: > On 2024-03-13, Vagrant Cascadian wrote: > > On 2024-03-12, Vagrant Cascadian wrote: > >> On 2024-03-12, Salvatore Bonaccorso wrote: > > I have now tested an updated 1.4.x package on bookworm and a 1.2.x > > package on bullseye, and the reproducer (with a small change for 1.2.x) > > was able to reproduce the problem before upgrading to the patched > > versions, but not after upgrading to a patched version. > > > > I've pushed fixes to various branches; debian/latest (for unstable), > > debian/bookworm and debian/bullseye: > > > > https://salsa.debian.org/debian/guix/ > > Attached should be debdiffs for updates for bookworm and bullseye. Let > me know if I should upload them or if someone from the security team > will! > > Guix did make a good blog post, and I am wondering if just referencing > it is sufficient, or if we should provide some of the instructions > directly in the secucity announcement? > > > https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ > > The main things we might want to highlight are checking for corrupt > items in the store (which may be expensive, depending on how big of an > installation) and maybe also running the reproducer script (which needs > changes mentioned previously in order to work with 1.2.x from bullseye). > > Hrm. The upgrading instructions from the blog post are not really > relevent, as they are simply handled with "apt upgrade", so that might > be a little confusing.
We had a look, and as per https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 we think that it does not require a DSA, but a fix in the upcoming point releases would be good. So can you submit it for the point releases? (make sure to adjust the target distribution to bullseye respetively bookworm instead of *-security). Thanks a lot for your work! Regards, Salvatore
