CVE-2021-27851

CVE-2021-27851 affects the guix-daemon in multi-user setups. An unprivileged user can spawn a build (e.g., via guix build) that creates a world-writable build directory, then link a root-owned file (such as /etc/shadow). If the build later fails and the user used --keep-failed, the daemon can cha...

CVE-2019-18192

CVE-2019-18192 affects GNU Guix 1.0.1. Local users can gain access to arbitrary user accounts because the parent directory of user-profile directories is world-writable, a condition similar to CVE-2019-17365. Red Hat and CNVD entries corroborate the same underlying issue. The available references...