bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

From:	Ludovic Courtès
Subject:	bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date:	Wed, 16 Oct 2019 08:57:05 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Hi Tobias,

Tobias Geerinckx-Rice <address@hidden> skribis:

> No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.
>
> Of course the remote daemon doesn't trust me beyond pre-creating an
> empty per-user directory owned by the local "ludo" user only if such a
> user exists.  It doesn't even report succes or failure to avoid
> leaking valid user names.

Ah you’re right, the worst that can happen is that an empty directory is
created for someone else.  Sounds like a plan.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/14
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/14
  - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/14
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Maxim Cournoyer, 2019/10/14
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/15
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/15
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès <=
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), pelzflorian (Florian Pelz), 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), pelzflorian (Florian Pelz), 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
    - bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16

Prev by Date: bug#37735: Ansible package build/installation failing
Next by Date: bug#37775: Python 2.7 not configured for Tk
Previous by thread: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Next by thread: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Index(es):
- Date
- Thread