Summary
pkgs.fetchurl from nixpkgs does not verify TLS certificates when downloading content
with a known hash.
This is particularly problematic when downloading content that requires authentication as the credentials used can be leaked in case of a man-in-the-middle (MITM) attack.
Am I affected?
You are affected if you use pkgs.fetchurl from nixpkgs with the netrcPhase input set.
Patches
TLS verification is enforced when netrcPhase is set since the following patches:
- NixOS unstable: fetchurl: enable TLS verification when credentials are used by LeSuisse · Pull Request #344000 · NixOS/nixpkgs · GitHub (PR progress tracker)
- NixOS 24.05: [Backport release-24.05] fetchurl: enable TLS verification when credentials are used by github-actions[bot] · Pull Request #344093 · NixOS/nixpkgs · GitHub (PR progress tracker)
Acknowledgement
This issue was spotted by @tomberek after the report of a similar vulnerability in Nix by Pierre-Etienne Meunier.