nixpkgs security changes1d ago

Nix security advisory: Privilege escalation via symlink following during FOD output registration

https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-via-symlink-following-during-fod-output-registration/76900

#security #nixpkgs #nixos

Nix security advisory: Privilege escalation via symlink following during FOD output registration

Summary Nix daemon is vulnerable to arbitrary file overwrites as the daemon user (root on NixOS and in multi-user installations). The issue is identified as GHSA-g3g9-5vj6-r3gj with CVE assignment pending. All users allowed to submit builds to the Nix daemon (allowed-users, everyone by default) can achieve arbitrary file writes as root and subsequent privilege escalation. Am I affected? All Nix versions since 2.21 and patch releases >=2.18.2,>=2.19.4,>=2.20.5 prior to 2.34.5, 2.33.4, 2.32.7, 2...

NixOS Discourse
Show threadck22h ago

@nixpkgssecuritychanges This will not affect you if you us #Lix instead

#nix #nixos

Show threaddwagenk21h ago

@ck @nixpkgssecuritychanges I was also wondering about that. The security advisory did not mention lix being unaffected explicitly, but

> thanking [...] for temporarily switching hydra.nixos.org builders to Lix for the duration of the embargo

in the post gave a good hint.

Show threadThomas Gerbet

@dwagenk @ck @nixpkgssecuritychanges
The discourse post does in the section "Am I affected?":

> Lix users are not affected

And the GHSA does not have the Lix in the impacted products.

Apr 8 at 8:31amWeb