Hi Maxime, Maxime Devos <maximede...@telenet.be> skribis:
> From 9672bd37bf50db1e0989d0b84035c4788422bd31 Mon Sep 17 00:00:00 2001 > From: Maxime Devos <maximede...@telenet.be> > Date: Tue, 30 Mar 2021 22:36:14 +0200 > Subject: [PATCH 1/2] activation: Do not dereference symlinks in home directory > creation. > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > Fixes <https://bugs.gnu.org/47584>. > > * gnu/build/activation.scm > (copy-account-skeletons): Do not chown the home directory; leave this > to 'activate-user-home'. > (activate-user-home): Only chown the home directory after the account > skeletons have been copied. > > Co-authored-by: Ludovic Courtès <l...@gnu.org>. Pushed: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2161820ebbbab62a5ce76c9101ebaec54dc61586 > From d071ee3aff5be1a6d7876d7411e70f7283dce1fb Mon Sep 17 00:00:00 2001 > From: Maxime Devos <maximede...@telenet.be> > Date: Sat, 3 Apr 2021 12:19:10 +0200 > Subject: [PATCH 2/2] news: Add entry for user account activation > vulnerability. > > TODO for guix committer: correct the commit id appropriately. > > * etc/news.scm: Add entry. I tweaked it to (1) make it clear upfront that only Guix System is affected, (2) to explicitly recommend an upgrade on Guix System, and (3) to clarify when the attack can happen. Thanks for finding the issue, for reporting it at guix-security, and for preparing these patches! Ludo’.
