Lix Project

Security pre-disclosure:

A critical security advisory for #Nix and #Lix (and #Guix) will be published tomorrow at 14:00 UTC.

If you're building untrusted derivations, you must upgrade to ensure your systems remain secure.

Lix versions 2.91, 2.92, 2.93, and main will receive upgrades on all known channels to Lix. Lix 2.90 WILL NOT receive upgrades.

More details are available in the pre-disclosure post:
https://discourse.nixos.org/t/pre-disclosure-announcement-security-advisory-for-nix-and-lix-on-june-24-2025/65831

Please stay alert for the full announcement tomorrow at 14:00 UTC.

Pre-disclosure announcement: Security Advisory for Nix and Lix on June 24, 2025

Hello everyone, This post is a pre-disclosure announcement for upcoming security releases of Nix and Lix. The Snyk Security Labs team has identified and reported the vulnerabilities that will be fixed by these releases. Disclosure and Release Details Release Date: June 24, 2025 at 14:00 UTC Both Nix and Lix are affected Branch releases that will receive the fixes: Nix: 2.24, 2.26, 2.28 and 2.29 Lix: 2.91, 2.92 and 2.93 All systems building untrusted derivations are impacted. Both Linux a...

NixOS Discourse
Jun 23 at 8:48pmWeb
Show threadLix Project4d ago

Lix releases are now out, please upgrade. A detailed writeup about the issue and the mitigations is at https://lix.systems/blog/2025-06-24-lix-cves/, scroll a bit down for for instructions on how to protect yourselves.

See also the Discourse announcement post at https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017, which also links to the various Nixpkgs PRs for those that use Lix from Nixpkgs.

#Nix #Lix

Fixes for five Lix CVEs

Security researchers have found five security issues in Lix. These issues were assigned CVE numbers: CVE-2025-46415 CVE-2025-46416 CVE-2025-52991 CVE-2025-52992 CVE-2025-52993 We have release updates to Lix 2.

Lix
Show threadsamir, a distributed system2d ago

@lix_project Thank you for fixing these!

When I try to upgrade, I get a strange error:

```
$ nix run'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.93.1' -- upgrade-nix
error: directory '/nix/store/0vn9444lszwlxrg98krrpyfdl4hgdzy6-lix-2.93.0/bin' does not have a compatible profile manifest; was it created by Nix?
```

I get the same error when running the `curl | sh` installation.

Do you have a remedy?

lix

A modern, delicious implementation of the Nix package manager, focused on correctness, usability, and growth — and committed to doing right by its community

Lix Systems
Show thread&mut selves Qyriad2d ago
@samir @lix_project How did you originally install Lix? And can you post the output of which -a nix?
Show threadsamir, a distributed system2d ago

@Qyriad @lix_project Oh, good questions, thanks for asking.

I installed it with:

curl -sSf -L https://install.lix.systems/lix | sh -s -- install

And `which -a nix` resolves to:

/nix/store/0vn9444lszwlxrg98krrpyfdl4hgdzy6-lix-2.93.0/bin/nix

`nix upgrade-nix` and `nix run 'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.93.1' -- upgrade-nix` give me the same error.

Show thread&mut selves Qyriad1d ago
@lix_project @samir your PATH points directly to a Nix store path and not to any /nix/var/nix profile or anything? That's unusual. Do you know how that /nix/store/0vn… path gets into your shell's PATH?
Show threadsamir, a distributed system1d ago

@Qyriad @lix_project OMG, that was it! Thank you for figuring it out, and sorry for taking up your time.

I am using nushell, and calling `path expand` on everything in my $PATH to expand `~`:

https://codeberg.org/ooble/fygm/src/commit/a91872dc248c451c043775094679660e8090beb5/dotfiles/nushell/config.nu#L36

But that also expands symlinks, so the default profile was being expanded to /nix/store/…-lix-…/bin.

Adding `--no-symlink` fixed it.

fygm/dotfiles/nushell/config.nu at a91872dc248c451c043775094679660e8090beb5

fygm - Samir's dot files and shell scripts. Use with caution.

Codeberg.org
Show thread&mut selves Qyriad1d ago
@samir @lix_project glad to hear it!