'guix substitute' and 'guix pull' Vulnerabilities

elephant-ocean1 pts0 comments

‘guix substitute‘ and ‘guix pull‘ Vulnerabilities — 2026 — Blog — GNU Guix‘guix substitute‘ and ‘guix pull‘ Vulnerabilities<br>Caleb Ristvedt — July 2, 2026<br>Several security issues (CVE IDs pending) have been identified in guix substitute, a helper utility invoked by<br>guix-daemon,<br>which enable a variety of harmful activities including remote privilege<br>escalation to the build daemon user , remote store corruption , and<br>potentially local disclosure of sensitive files accessible to the build<br>daemon user. All systems are affected, whether or not guix-daemon is running<br>with root privileges; the harm that can be done when guix-daemon runs without<br>root privileges is more limited. You are strongly advised to upgrade your<br>daemon now (see instructions below), carefully considering whether to pass<br>--no-substitutes to all guix commands when you do so (see note in Upgrading<br>section) .<br>The remote exploitation of guix substitute only requires that the vulnerable<br>system attempt to download a binary substitute. Any configured substitute<br>server, including ones discovered using guix-daemon's --discover option, can<br>exploit this, and so can a man-in-the-middle (MITM), regardless of whether<br>https is used in the substitute server urls.<br>The local exploitation of guix substitute only requires the ability to connect<br>to guix-daemon's socket, which by default any user can do.<br>Separately, another security issue (CVE ID pending) was identified in guix pull and guix time-machine, which enables anyone who can control the channels<br>file used by these commands to cause a file to be created or overwritten<br>wherever the user running the command in question has permission to create<br>them. This is possible regardless of whether the channels file is evaluated in a<br>sandbox and whether the channels used are limited to those sharing an<br>introduction with a trusted channel. Due to limitations on the content of the<br>created or overwritten file, this primarily represents a denial-of-service<br>risk, though in theory it could do more.<br>Vulnerabilities<br>Three distinct vulnerabilities have been identified affecting guix substitute,<br>with a fourth affecting guix pull and guix time-machine:<br>(CVE assignment pending) The procedure that Guile code uses to unpack<br>substitutes, restore-file in (guix serialization), was not hardened<br>against malicious input, but it was called to extract the substitute being<br>downloaded as it was being downloaded, rather than waiting until after the<br>entire archive had been obtained and its hash had been verified. These<br>facts together make it possible for any substitute server (or any entity that<br>can impersonate one) to write arbitrary files to any place on an affected<br>system that the daemon user has permission to write to. In the case of the<br>daemon running as root, that includes /etc/passwd.<br>To avoid depending on the X.509 Public Key Infrastructure, the procedure that<br>fetches metadata about available substitutes (called narinfos),<br>fetch-narinfos, does not verify server certificates, since the canonical<br>parts of narinfos need to be signed anyway to be considered valid.<br>Unfortunately the substitute URL is not one such canonical part, and so it<br>can be replaced with an attacker-controlled URL. If the substitute<br>downloaded doesn't match the signed hash in the narinfo, it will be rejected,<br>but by then it is too late: the substitute was extracted as it was being<br>downloaded, so the damage is already done.<br>This means that even though download-nar, the procedure responsible for<br>actually downloading the substitute, does itself verify server certificates,<br>using https in substitute server urls cannot limit who can exploit this, as<br>the certificate only needs to be appropriate for the attacker-controlled URL.<br>restore-file is also used by other utilities, including guix offload,<br>guix archive --extract, and guix challenge. These can all be exploited<br>in the same way if untrusted input is given to them.

(CVE assignment pending) The procedure that fetches metadata about available<br>substitutes (called narinfos), fetch-narinfos in (guix substitutes),<br>does not verify that the narinfo it got is the one it asked for, nor do any<br>of its callers in (guix scripts substitute). Consequently, it is possible<br>for a substitute server (or anyone who can impersonate one) to trick guix substitute into using any store item for which there is an authorized<br>substitute as a substitute for any other store item for which there is an<br>authorized substitute. The complete extent of harm that can be caused by this<br>depends in part on what store items an authorized substitute server has<br>signed or can be convinced to sign, but at minimum this can be used to cause<br>outdated and insecure versions of software to be used.

(CVE assignment pending) The implementation of guix substitute in (guix scripts substitute) permits file:// URIs to be used both for specifying<br>substitute server URIs (where to look for narinfos) and for specifying within<br>narinfos where to download the corresponding archive from. It...

guix substitute daemon server file narinfos

Related Articles