On 2025-07-27, Kurt Kremitzki wrote:
I am also a Debian Developer, and I'd really like to try to get this taken care of in time if possible--without getting into my whole spiel, I think being able to support usage of Guix as it is at any given time (rather than HEAD-only) is important.
Great!
However, when I try to do a minimal reproduction of the vuln in a Debian VM, doing e.g the following, it doesn't work:
```
root@guix-test:~# apt install -y guix wget
root@guix-test:~# wget <path to a copy of the test file provided in the announcement blog post>
root@guix-test:~# guix repl -- abstract-socket-vuln-check.scm
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
building path(s) `/gnu/store/afq3lfzpfqsw81shkqd91nw9f2dcrk7w-check-abstract- socket-hole'
Backtrace:
2 (primitive-load "/gnu/store/hk4k2na16b09qnws9zhi8h8zcm3?")
In ice-9/eval.scm:
619:8 1 (_ #(#<directory (guile-user) 7ffff6fddc80> #<input-o?>))
In unknown file:
0 (connect #<input-output: socket 6> 1 "\x00-6886d98b-3581")
ERROR: In procedure connect:
string contains #\nul character: "\x00-6886d98b-3581"
builder for `/gnu/store/24cy6ikj447s8srqv42gfigsd0lf90zs-check-abstract-socket-
hole.drv' failed with exit code 1
Abstract Unix-domain socket hole is CLOSED, build failed with "build of `/gnu/
store/24cy6ikj447s8srqv42gfigsd0lf90zs-check-abstract-socket-hole.drv' failed".
```
I did see positive results for this check on Guix System VMs, so it's not clear to me why this check is showing closed, instead of open.
I'd like to help with the backporting effort as well, but I can't really validate the effectiveness of any fix at this point.
Is this happening to anyone else?
Is it possible that the security vulnerability was introduced after
1.4.0 ... And not introduced in the security patches currently included
in Debian? Or running under systemd somehow makes the reproducer or vulnerability fail to work... or something else entirely?
I honestly (foolishly, in retrospect) had not evaluated these
possibilities... Partly, because I had thought it was also present in
Nix...
I've CCed the bug in Debian tracking this issue...
live well,
vagrant
--=-=-Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCaIbtVwAKCRDcUY/If5cW qq6kAP9TPulnUa9z9hh8WuEehpHe23GeaQLnqyrV1o2GyUjxCwD/eUf36Yo8BMW9 SVSESZO4aJDmuRWny3iz/xzJKepyjA8=O43y
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)