• Category: Security
  • Status: confirmed
  • Sources: Guix security post, HN discussion
  • Summary: The GNU Guix project disclosed four vulnerabilities in guix substitute and guix pull/guix time-machine on 2026-07-02, with CVE identifiers pending. The most serious is unsafe archive extraction in restore-file ((guix serialization)), where archives are extracted before hash verification, allowing arbitrary file writes and remote code execution as the build-daemon user. The others are narinfo substitution spoofing that can serve outdated substitutes, file:// URI access that follows symlinks to read daemon-accessible files, and a path-traversal cache-key flaw in authenticate-channel. All four are fixed in commit 897832f and later.
  • Why it matters: The substitution and channel paths are how Guix systems fetch and authenticate software, so a pre-verification extraction bug turns a compromised or spoofed substitute server into daemon-user code execution on client machines.
  • Follow-up: Track CVE assignment and whether the fixes land in a tagged Guix release and in distribution packages.

Send feedback on this story