Vulnerability in Nix 2.24

There’s a vulnerability in Nix 2.24.

If you’re using the regular nix from nixpkgs (which the vast majority of users will be), you’re still on a safe version. If you recently (after August 1st) installed nix using the nix (not NixOS) installers, or are using nixVersions.git from nixpkgs, then you need to double-check. A fix is expected in version 2.24.6 which is to be released soon.

GHSA-h4vv-h3jq-v493

7 Likes

To summarize:

  • This vulnerability allows privilege escalation, so it’s serious
  • It only affects Nix 2.24.0 to 2.24.5
  • The known attack vectors are closed in Nix 2.24.6

Please excuse any delay; we will publish a post mortem once the acute situation is cleaned up.

In the meantime, if you installed or upgraded Nix recently (after 2024-08-01 and before 2024-09-10):

Lix is not affected because it was forked off Nix 2.18. The vulnerability was reported by Lix core team member @puckipedia.

Mentioned elsewhere, for reference:

20 Likes

The GitHub advisory is now public: Unsafe NAR unpacking · Advisory · NixOS/nix · GitHub

And 2.24.6 is released: Release 2.24.6 · NixOS/nix · GitHub

6 Likes

Thanks for the quick fixes now that the exploit is public.

2 Likes

I saw the remedy was about case insensitivity. I suppose case sensitive filesystems are not affected?

How so? The original explanation mentioned it was due to improper hash verification and symlink handling

1 Like

Case-sensitivity was only one of the vectors. There are a class of similar bugs that abuse a similar mechanism of defining a symlink with an arbitrary target and then later traversing that symlink as a way to get write access as root. Other mechanisms include messing with the ordering of NAR entries and unicode representations.

1 Like

Here’s the post mortem as promised:

4 Likes