Mastodawn

Nix security advisory: Privilege escalation via symlink following during FOD output registration

https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-via-symlink-following-during-fod-output-registration/76900

#security #nixpkgs #nixos

Nix security advisory: Privilege escalation via symlink following during FOD output registration

Summary Nix daemon is vulnerable to arbitrary file overwrites as the daemon user (root on NixOS and in multi-user installations). The issue is identified as GHSA-g3g9-5vj6-r3gj with CVE assignment pending. All users allowed to submit builds to the Nix daemon (allowed-users, everyone by default) can achieve arbitrary file writes as root and subsequent privilege escalation. Am I affected? All Nix versions since 2.21 and patch releases >=2.18.2,>=2.19.4,>=2.20.5 prior to 2.34.5, 2.33.4, 2.32.7, 2...

NixOS Discourse

Show thread

ck 22h ago

@nixpkgssecuritychanges This will not affect you if you us #Lix instead

#nix #nixos

Show thread

dwagenk

@ck @nixpkgssecuritychanges I was also wondering about that. The security advisory did not mention lix being unaffected explicitly, but

> thanking [...] for temporarily switching hydra.nixos.org builders to Lix for the duration of the embargo

in the post gave a good hint.

Show thread

Thomas Gerbet 21h ago

@dwagenk @ck @nixpkgssecuritychanges
The discourse post does in the section "Am I affected?":

> Lix users are not affected

And the GHSA does not have the Lix in the impacted products.

Show thread

ck 21h ago

@dwagenk @nixpkgssecuritychanges Yeah, it's really unfortunate how the #nix teams handled this.
Embargoing for "responsible disclosure" when a drop in replacement which is not vulnerable is readily available and would fix the issue for everyone, but only fixing their own infra instead while leaving everyone else vulnerable is really a poor decision and does not spark confidence in #nix leadership.

#nixos