In the package manager identified (CVE-2019-18192) to allow code to be executed in the context of another user. The problem manifests itself in Guix multi-user configurations and is caused by incorrect setting of access rights to the system directory with user profiles.
By default, ~/.guix-profile user profiles are defined as symbolic links to the /var/guix/profiles/per-user/$USER directory. The problem is that the permissions on the /var/guix/profiles/per-user/ directory allow any user to create new subdirectories. An attacker can create a directory for another user who has not yet logged in and arrange for his code to run (/var/guix/profiles/per-user/$USER is present in the PATH variable, and the attacker can place executable files in this directory that will be executed in the victim's process instead of system binaries).
Source: opennet.ru