Four vulnerabilities in Guix: remote privilege escalation via substitute download

Seven stable kernels out, Guix has remote privilege escalation, and Claude Opus 4.8 is inventing tool-call fields. Odd weekend.

// SECURITY FOCUS

Four vulnerabilities in Guix: remote privilege escalation via substitute download

The `guix substitute` path is exploitable during any binary substitute download – meaning any managed Guix system pulling updates is a potential target, not just ones doing something unusual. The `guix pull` and `guix time-machine` vectors add a separate local sensitive-file disclosure path. Fleets running Guix for reproducible build infra or CI are the most exposed; the trigger is routine, not adversarial-input-dependent.

What to do: Update guix immediately and audit any hosts where `guix substitute` or `guix pull` runs unattended.

  1. Seven stable kernels released, including two security fixes — LWN.net · Jul 4
    Greg Kroah-Hartman released seven stable kernels – 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260, 6.18.38, and 7.1.3 – with two notable security fixes. CVE-2026-53362 patches an IPv6 flaw introduced in 6.0 that could let an attacker escape a container and gain root; CVE-2026-53359 fixes a use-after-free in KVM tracing back to 2.6.36. If you’re running any of these series, upgrade promptly – the container escape in particular is the kind of bug that gets exploited fast.
  2. Limiting negative dentries in the Linux VFS — LWN.net · Jul 3
    Miklos Szeredi led an LSFMMBPF session on negative dentry proliferation – directories with many misses accumulate unbounded cache entries that hurt both memory and lookup latency. The discussion surfaced proposals for per-directory caps and smarter reclaim, worth watching if you run workloads with high filesystem churn.
  3. Better Models: Worse Tools – Claude Opus 4.8 invents tool-call fields — Simon Willison · Jul 4
    Armin Ronacher found that Claude Opus 4.8 and Sonnet 5 hallucinate extra, invented fields when calling Pi’s custom edit tool – fields that don’t exist in the schema – causing Pi to reject the calls and retry. Older Claude models don’t show this behavior. His theory: Anthropic trained recent models via reinforcement learning to use the specific edit tool schema baked into Claude Code’s search-and-replace tool, and that training now bleeds into third-party harnesses with similar but distinct schemas. OpenAI has done the same thing with Codex’s apply_patch tool. The practical implication for anyone building coding agents on top of frontier models is that tool schemas may need to closely mirror the vendor’s own internal tooling – or you’ll be fighting model behavior that’s deliberately optimized against you.
  4. sqlite-utils 4.0rc2, ~$149 of Claude Fable work documented — Simon Willison · Jul 5
    Simon Willison used Claude Fable (the soon-to-be-paywalled model) to drive sqlite-utils from 4.0rc1 to rc2 across 34 commits and +1,321/-190 lines of changes, at an estimated $149.25 in unsubsidized API cost. The most serious find was a `delete_where()` bug that left the connection in an open transaction, silently rolling back all subsequent writes on close – a data-loss scenario Willison hadn’t hit himself. The rc2 release also breaks several behaviors: `db.execute()` writes now auto-commit, `db.query()` executes immediately rather than at first iteration, and connections created with Python 3.12’s `autocommit=True` are now rejected outright instead of silently discarding every write. Willison also ran a cross-model review pass – GPT-5.5 reviewing Fable’s work – which caught two more transaction-correctness bugs, reinforcing his current practice of having competing models audit each other’s output. Engineers using sqlite-utils 3.x who upgrade to 4.0 will hit multiple breaking changes and should read the transaction model docs before migrating.
  5. How data sovereignty is changing cloud native infrastructure design — CNCF Blog · Jul 3
    Data sovereignty isn’t a geography problem – it’s a jurisdictional one, and laws like the U.S. CLOUD Act mean a hyperscaler running servers in Frankfurt still answers to its parent company’s home government. The EU’s proposed Cloud and AI Development Act (CADA, June 2026) adds a four-tier sovereignty framework for public sector procurement, and similar requirements are spreading across Canada and other jurisdictions, covering not just data residency but operational control, supply chain transparency, and portability. The pattern emerging in production – used by national rail operators, banks, and telecoms – stacks Kubernetes as the policy enforcement layer, OpenStack (Ironic, Keystone, Neutron, Ceph) as the self-hosted infrastructure foundation with no mandatory external dependencies, and GitOps for auditable multi-cluster operations across jurisdictions. Admission controllers and tools like OPA/Gatekeeper or Kyverno encode jurisdictional rules directly into the cluster, turning sovereignty from a periodic compliance audit into continuous automated enforcement. The article is CNCF-published and leans on VEXXHOST’s open-source stack, so treat the framing as advocacy for that architecture – but the regulatory pressure it describes is real.

// In other news

ai

  • Building a World Map with only 500 bytes (Simon Willison) · Jul 4 — Codex-assisted code golf produced a 500-byte world map renderer – a concrete example of AI helping with constrained optimization tasks, though the human still drove the problem framing.
  • Open Source AI Gap Map (Simon Willison) · Jul 3 — Current AI’s Gap Map visualizes which parts of the AI stack lack credible open-source alternatives – useful for teams assessing dependency risk on proprietary model providers.

linux

web

  • Bringing Flare back to Laravel 10 and PHP 8.1 (Spatie) · Jul 3 — Spatie restored Flare compatibility with Laravel 10 and PHP 8.1 after dropping it, relevant for teams that can’t yet migrate to Laravel 11 and need error tracking support.
  • Bug Scrub Schedule for WordPress 7.1 (Make WordPress Core) · Jul 3 — WordPress 7.1 bug scrub schedule is published ahead of the August 19 release – bookmark this if you maintain plugins or themes and want to catch regressions before stable ships.

Patch your Guix hosts first, then read about negative dentries over coffee.

Leave a comment