On 2025-07-27, Kurt Kremitzki wrote: > I am also a Debian Developer, and I'd really like to try to get this taken > care of in time if possible--without getting into my whole spiel, I think > being able to support usage of Guix as it is at any given time (rather than > HEAD-only) is important.
Great! > However, when I try to do a minimal reproduction of the vuln in a Debian VM, > doing e.g the following, it doesn't work: > > ``` > root@guix-test:~# apt install -y guix wget > root@guix-test:~# wget <path to a copy of the test file provided in the > announcement blog post> > root@guix-test:~# guix repl -- abstract-socket-vuln-check.scm > substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% > substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... > 100.0% > building path(s) `/gnu/store/afq3lfzpfqsw81shkqd91nw9f2dcrk7w-check-abstract- > socket-hole' > Backtrace: > 2 (primitive-load "/gnu/store/hk4k2na16b09qnws9zhi8h8zcm3?") > In ice-9/eval.scm: > 619:8 1 (_ #(#<directory (guile-user) 7ffff6fddc80> #<input-o?>)) > In unknown file: > 0 (connect #<input-output: socket 6> 1 "\x00-6886d98b-3581") > > ERROR: In procedure connect: > string contains #\nul character: "\x00-6886d98b-3581" > builder for > `/gnu/store/24cy6ikj447s8srqv42gfigsd0lf90zs-check-abstract-socket- > hole.drv' failed with exit code 1 > Abstract Unix-domain socket hole is CLOSED, build failed with "build of `/gnu/ > store/24cy6ikj447s8srqv42gfigsd0lf90zs-check-abstract-socket-hole.drv' > failed". > ``` > > I did see positive results for this check on Guix System VMs, so it's not > clear to me why this check is showing closed, instead of open. > > I'd like to help with the backporting effort as well, but I can't really > validate the effectiveness of any fix at this point. > > Is this happening to anyone else? Is it possible that the security vulnerability was introduced after 1.4.0 ... And not introduced in the security patches currently included in Debian? Or running under systemd somehow makes the reproducer or vulnerability fail to work... or something else entirely? I honestly (foolishly, in retrospect) had not evaluated these possibilities... Partly, because I had thought it was also present in Nix... I've CCed the bug in Debian tracking this issue... live well, vagrant
signature.asc
Description: PGP signature
