Top stories
Guix discloses four substitute and pull vulnerabilities including archive-extraction RCE
- Category: Security
- Status: confirmed
- Sources: Guix security post, HN discussion
- Summary: The GNU Guix project disclosed four vulnerabilities in
guix substituteandguix pull/guix time-machineon 2026-07-02, with CVE identifiers pending. The most serious is unsafe archive extraction inrestore-file((guix serialization)), where archives are extracted before hash verification, allowing arbitrary file writes and remote code execution as the build-daemon user. The others are narinfo substitution spoofing that can serve outdated substitutes,file://URI access that follows symlinks to read daemon-accessible files, and a path-traversal cache-key flaw inauthenticate-channel. All four are fixed in commit 897832f and later. - Why it matters: The substitution and channel paths are how Guix systems fetch and authenticate software, so a pre-verification extraction bug turns a compromised or spoofed substitute server into daemon-user code execution on client machines.
- Follow-up: Track CVE assignment and whether the fixes land in a tagged Guix release and in distribution packages.